diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
index 92494b54e..5c6b502d6 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
@@ -41,3 +41,1603 @@ stratus detonate aws.credential-access.ec2-get-password-data
Identify principals making a large number of ec2:GetPasswordData calls, using CloudTrail's GetPasswordData event
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:GetPasswordData`
+
+- `sts:AssumeRole`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="8 55 102 149 196 243 290 337 384 431 478 525 572 619 666 713 760 807 854 901 948 995 1042 1089 1136 1183 1230 1277 1324 1371 1416 1468 1522 1555"
+
+ [
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:751353041310:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: fqhg8CzmasrUP43_LGsSmLVAAoKKY1CzQD3yqWpWiuZGOcVf2lhbhrrgsH8zy44fLcyyL6AsNcXA2GMJ3dl_2A8-mR5qE3oPDbM8k51n_qGm4fs4CdzuYK01dKPn4abyT2RXgAphwvURW0X-7R1OFTrWQnRH_W-pWiKQMJ756fS410A5yi504958O5VwFgOoxzBqwSFmvPt5WRVqBpuxTA_CXq5ogP2bjZzdHV8g_FnbHOARLP282lJjyBlNgP09SyB40bDDBxwDhYm_57waaVMA1Ww-_SlUt02HzVBZp7t7ta8udTCpZsoNuZyhUPmgli8z1pwkKVbsVe1cEhokOPPDm3p5ymcSZ4o5mwtEk18p46uE1SHVZSUv23Pjv68qZe0Sj_-rLKzqTi4Mhje-h5a7zRf8i3P-LGTGJHUxH4y5C2e659kdVhTaUJv8maLCMDiL7cUX2Px3xCyiWvtAnA_NIpmXEboFADuVzUsVVl-sTdCTT1rZn_-ts_xbdrqSmzvGKsDiTB1vJF3UwFjRuSRVSPD0g_U_rkZfqy0j-JEUU3DEIsh4SIWsrgDNuPzv0KQ",
+ "eventCategory": "Management",
+ "eventID": "450230d4-b39e-4a18-a6a0-d07a6e2105cb",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b20c2df5-71d5-441e-84c8-b424f1c78ffb",
+ "requestParameters": {
+ "instanceId": "i-i2jnm5swa59p4fxg"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: vI3cDVgKJvmlMzN8rT24DeQOh9di8wn6vWRhl7MKZYEHwshGC7bY0RXqvxRIFTQNaddFRU7snsmuRbDWCJhQ5b_E7tu5T614NYSVWVA-voW06n-BOfulZtczb3PyUhqbGpg9vjiiY-OrpAWZ6F025pam2NYdRGvNYxLxrRIJcc-Pgy6AOKrgqoBuIYS9KWg1xhnVaU_MwL79F31AiLn_2xPKnBmuxw0Gbf66kSPQi4HBkBT7hpsCLz9iyrVLOOGUV8yKQM95ZzvoGL0hxfMCiLL1PxQAkAECTuhYIMseN7dDrkwqyy5CUjQmKCmKxJvwskEp5WZogiQjtkk44pe-ODMesOjJx5jGfWhpbpXS505jUD5noJpQtzF3HTuCecAdsUezzqJMy7xfgKfZwM_0S5vxuP71ZdLGUIyI8dXT8yyGvVdennbqgGnmSlgR5236yhxAsYtX7mRP5-pNjVGsPvz0YOA0MYzyQHTAmHFqsMK3efkeySF4DqsrvFp8E-_4zQuOy8xcsl2Lt0EXibfAqUOwRxh1n0TZ5hJ3_KgirWcFGhfAEDlgK_btXALP9uWvgAA",
+ "eventCategory": "Management",
+ "eventID": "560bcc37-36b9-43f4-8447-2bab2d7cd7cf",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b25e0f2a-0a98-4b8f-8893-fce249e28a83",
+ "requestParameters": {
+ "instanceId": "i-aq9pmsueolxr81r5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: MvyJ8E7JRlJ8qrNOLCxvOgNHlEoVtWB6q7tZDACABTX_jUO8rHfwdhptvxZXjjrECMntJyC781EvTNGomFMVEsi7X7m3WYsdVSCTV3_b6vvnO73HHYOPDJA67Uu860JC_nvDqubgE8tVYaEQfIv2tkoLOa_giq3CnHTnT8OTem2osy1fvZ9ZoqtOm8L_yt0o_Xa4gm1q4uhq_9OjanBPHK1Vi1EKlOSAu6MMD6_QHoby_vZMs8zBqXHZMMZKh7ENCR-RVW-nutH3WyZ9kUyKK9ZoLCD4RKh7OR9xuvs6b5p-SvvIhC9W4SYFhSUcbqXr32IDoY0T6IaaYY_I-ZBxJJv8sDWP4FFx-Zgnj6jkJwbpJL3zrDF5t1uYx_-d7dl7fXztnlaSFchdmdBtu2gWlakT8vwWFKIAWFlP9EzDVsooEN8jBT9CT7XasorGDrjMkoXUL74wSQ8bsbZuXazBBT3xK2cfXoCZQ_YYW1ITOif_RAHKzn78evQrg917qNktjM09reyr9xYP34rMbKlabtbZwx0KKP8xtSU_teXhTMRQ5UydA9NQMCCGvrjd2-TWdaM",
+ "eventCategory": "Management",
+ "eventID": "76a3f52e-5c4c-4a62-818d-a2bc8bddc2e6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "f48594da-0a0d-4e9c-a641-0f9dd4fec8fc",
+ "requestParameters": {
+ "instanceId": "i-x7jwh6qy39glvq1r"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: ex0NeuPRe8xwBXWSB-bMPAP_IMRYGNBpDD0SaeD3RV2Y-0w39P_2oAFjmi-r8BNT69RYOJ-hza1FZen-cwGssTUW5prEYz1Nf1c1nmupsXlbIS9oGexXcLlk0eftjhtp1oW5mxnhE0QYe_1VvGLde6mv5FsTKvO8_kcW0HuKi47kTgBB1RlLnjXrBQ9D6bUqmpyJzPv-9R651JtTJ0dggDS7lEN0vagJI1y7MdhgUnr63ZFDwwNN9tHzZS_jzC232IH5Nh-4AFSvPYYcHP75ahrQBARAriMWycPyvQZypwEwR5IeM9pDwnVPbhQZnk07KV67c-B5Y_VIv0rmaSpCsf0HEwW5kCP1QV6CZIpnCTku1Ghwt-nCouj_Yv62oJg3j8xTBMgivye_UC_mv2zDF9vCcsWQ7F2-uit-rbKyzIKC72UBP5DAchNYeHhBShD9heqssLqgNrpO_1nTzA_bUdxWiVCI20QRazEobNiVm9vbdDB_LD9mLpvfQsT8k8qWT1_E7yaR9_1ZVcW13BZ2zDD66YBIIiKD3bVixCibVF1VuktZcM0DMHYquWHyJyqN_o5L",
+ "eventCategory": "Management",
+ "eventID": "0c7f6148-c337-4e49-8df5-cb333c6fb7d6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "4fa792f1-a997-4739-a79c-215983a2cce7",
+ "requestParameters": {
+ "instanceId": "i-vgu76uxucxlpp04e"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: sy7SXIS8cR0ggyin7T9E00rq0UiBYf3eugsTZ-Ogk79Vr7gPWzUxv5S1-6UGbgDluSzgK5qh5bj2VmJiWaAwIlMfWlkTKGSQkcf5gz5wOK7xVi-QjG_ZZMg6JlpeQlf42ElPwTHSlsjHU7OIRcFmIpSy15svaRMouoxwxKfdDF7FtruzOBMlbwFSS9EjcO9BS_SHVSsJte6TxSYwyrR4tNVke6T_P4rBeL7ztd7h_W5CInqYvgQV8ivmmB3ZCKHmui3eS5NaWAlVPYiPUIv5h2VUjqzEt3HsSHpjdQQuXOoSy3lQuqGNgSBwMuemwkT1hcpmSyUWkdKbIuVMHGKvPx5fh5SBkcIUEn4Zijtlo6qWX9q_A739rbuQs9Tek1i1N5xO5f0ab_sepQdNEQZexx8lT8H8lOwjPZNrcUuppHp2o3sbVJgMn-75snd68YVWP3u0-QuNiQ-TyBYuu-RCVOct_7dOhDEwIixzMKgX-xbSm0AMICAT5saVXRwwrL1PB63t2nq52lWHstgzS5hapqr8GBhT6VHgjiPgadckQde1p8cN476Y_3nt4vbjTlixyHQ",
+ "eventCategory": "Management",
+ "eventID": "4bf1ca5d-42ba-4e95-a493-9cdeefb58b87",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8efcec3b-8c76-4b8b-acc4-884b7040aa69",
+ "requestParameters": {
+ "instanceId": "i-ozzfav7qglzosg49"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: w4BeNvjyqgZy54yIPW-Fi1znuurlnMJBtXRoh5NdfY7bT8fFvjHYaLQ6EUXTTjnEMB4Gv5bwqpgFzM5lzvWFweErUq6l2N5nvU_e2hVJgAhQyDII36qsr2Jj_XeFX6UoQb3pimMn6T4q4oDxP7FtsIt8uIrAVxc5ECs_3JbDgshdjVHf0yz0VgZprSF-2bbppKqgD_B1BkIEe587cUlDyrH6XszhIww2-k6Jj82FrDBowlBEJwREI9VnJdFWFO5y1NInklHF_bBFkyat2Nr5aXpwDUMEPY6dY5Ggv2I2ggujHKbtkXRF4AbxCN1SfyX3jLS98ewC3mZaVymcADN1KRghMytqsxMfjAeOOi0OzUrLZl5YcWCN9cH1Sca2KU5ZISpwGQSETyCD--KM5_J8mHQS_ijmTXUXxCpdjgUZRo3dn4Krll1H18IlRMtovF5KqR4HpPL4bVX1l6LL8e2gs3x_NtQys8aWA1aybnT6dWP12eb7P_j6YKziDMfp6zx1smQjHlPwxRg3I7w84EcpCXdNIpqVSxOo-PrmpH5u_0rfkHXEzjfYX5vbJ-dt8BeDOfA",
+ "eventCategory": "Management",
+ "eventID": "7466f497-7987-44d9-aeb1-5034d02c9f87",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9da09dec-5398-47cf-a763-ebab997f543f",
+ "requestParameters": {
+ "instanceId": "i-t3wz01wvchd1i3ji"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: D8EVYsR5r16Iqx5IHuCEN7fghFzk7W_8XbwrZzPIH0vwpygIn9k9LSeOsmINlF6dZU9r9rWXxbpxmmnwr39FJS7UAyqkNvN-nMQc-ySOHrTZobFllAx1vwRNnYVUwu_AMKV6ov2s-969CBXV4OImXntzJmBLx_lsvb27jey_rQLzS-1H8hpXoQl2lKsBr4NZNk7xUEpPs_5a6V-ZkPBA_UoTXn6xIBmjC5y_gNwvWeP-OpTa6hmG-XKsPGrr5zP-b07P0gkc6k9ykR7e2MTQ40zqwfSwmXAkLjL8mR5HeGoP9DSkgcfYhlb4sK7-97tSBlMcZhYd9KEMRkQqK_N1BHS6lMGO0eikQKAyjVaQvld_05HXsIE5R0813DC8PhFZK1GxFMh96h_nY8c3Bl_IXs1DraSgo2EPF5sx7HnY6alpk_3_1frHmTIaVSuHdDKPkQ2_5pkkdCV_nQgjU9tKhFYIfL1fETZL21uNtlKLSE1UBQlbw6b5LSpy5tROI5Kfq-0Da6ynh_Aqvmbdxi-oCVaf2T1SW_G6DFjUWU0xDXSa2PbKTwIxFUJlVebyoF2zE1M",
+ "eventCategory": "Management",
+ "eventID": "8d006dac-fa19-4599-a336-d3a230b535f6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "1cfed956-fcee-4f9c-bb7d-b1d512e97044",
+ "requestParameters": {
+ "instanceId": "i-ny0ek1fbv2k4irgb"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: TVZFjm-mt3TE7psRWv4wzimRYmROaE6RK6a-blk1M1QXc5J1ZqaOWP4_UilTumdJ8Uni_NqKwfRUhKpwB4zcMHYAZmYsDx9D0jaMwKBsbWQPmSLn7nh3MVpsN-pmsT4cp2LC3lUc_ql7wqWDeipnbHH2UCZxBhlun8Otv4vpF5YrkraD-M9_AROMNwYMfMbe4mfamHx7kk1Qa2rjEqGuyALHTp726hJAMv00n3Wng4K1eUJLgGITGVh592lKycF8NUD5Sty5-ELzaql25MKFIcYypw91I3rI1_uhf7KGbtGPl5mXu_ukfa7gAUZjaFmJT0AfpCjVgjsji5oM0QWqqqJvbBdTwz48kAc86JSKl-A2w--D0xaEhqRe23mGGvdPemXB4PHggmhaueeVEPL5bV74aDc9fHQhGG2NiCOa3QZPR3QPg69ddwFVyThf3tjLIoZ_e4T7OWlGBZjU8BkQ5rPdwPbrvwpsNJjcUzP7OLaxnviUFUhRSBwhZqiI035mI1kqtE0vxzbXNwS9j5RIfjv92BrvSFwNMZb8agK1Q3siL3wadOqNGYOkgyLkVk40kRdy",
+ "eventCategory": "Management",
+ "eventID": "b1f34826-4e8b-4527-b17a-ef9cb24ac379",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "195c9d73-fd82-4ec4-a72c-2ead0602b322",
+ "requestParameters": {
+ "instanceId": "i-p9e9ocan02xrzude"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 4DDnYxe39i3VZP2qCvPfBcHUBBBMcdYYSyzhljgHjyGL6996txALAExpdhvWyVLfDOat8FRPllNzoixRpTCZWRlo35Dg_FnqfL1IF29WP49Wy1973IXWcqE4uXpt_F3IF8GsCnoKQns0KAyo9fLObSFnt67AwSxAgzsi6McdREq8cIg0mdIjCK2nhBc6v1VKCHuLau_QUzLh5qI5BgRDHK6FSggymuCyI3uUsNnwRfR6VT4RCN5EoT5-_aedTBlLwe81MCo3azLKWwsv6JtQpL5jfxoy-4Txygq7KNPMLxX7_HHkLPYhWy5x4CKZK-ZXqu9biSwcUJrkNIpCqUmgLV1rDtKoaePONy5Xo-TunhCkN8s796aU3ij815Hsv0OVXk62NWdg_pcnnIfon-YWM5empS0xLUqyBeHEawYAKPO3grDGlMxVfovIV-uFpmR9KdOsW3D5HAkq4FNi_2DGF6IYSY-VRxYxv40P9TBovXH7BTAniJNA1A6ilwzseqiBdtKmHc_2EoOkBTrQtIufDmd9PyE0aP2vCfVOz0pemh2ZPshJjf_8l5tHYwGBlJgpumo",
+ "eventCategory": "Management",
+ "eventID": "eec493d8-1181-4ed7-9d29-1de1e87ee98b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "c029fc7d-b85b-42ff-8351-31aaf6c1225e",
+ "requestParameters": {
+ "instanceId": "i-yjhbbydwe3p29swd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: JJqi-rC3zfBkVioszXW11DKpcL755AUVY2OJmrbbbxxXyAa3BGd_pEfBQfxB7eAHuDH7CPVmOf4EG1MkQKk06tnOefWSBDhlNi3BYpuA8-6jWQsKOhwShJKF6ZNVSQ6ivlccg3o7A5IShFiKJVQYGTQZ1Rc-PA8hPANFEsT5Gl2Ag1jPol68k8oO_8E4_cHKqQjvZTZJEoMF2tZwAXfrjU-EX2IY-Y9l-ONimiyuPnxchC8HSYViBz4POEKN0gZhid89D3IWLo2k70BQDl6j2L2zIr6yMVsj2v-Wc8saEaiExv7QK4NkT1l2MEEDKANkwVWarRlYlI3ku7f1H8yTqMXf9WPcZ7DfcPXoR9ich6AFDVD8J39S6kgSc9P6cq_V2yssXqcSJxwQqBkbUrPRDMlpj0VgA9qU-Sx81uWiQQTJeK4X9wYHi2RfV6AkHCeIOi5viQVR4xNGVird74cvtcBu1SzMccOkyD0HCBZ9CcnyQ7BohNuzNC17wm0AekIdxH0pZAM3Rb2OAdzXK9zE37qc-Z2F8tGPGsCNJVwP2LSQetbu6tfhJBcQpfFi3WD9Wq8",
+ "eventCategory": "Management",
+ "eventID": "45b5d41d-4732-49d2-aa3b-8b87a1c4d8e1",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "efb7d185-ec2d-431e-b845-52b0ec9f4bc4",
+ "requestParameters": {
+ "instanceId": "i-xjos2kzunblws25p"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: Fy68QK4IDJ5WWq9w6ufOr8E_KHl6yFBFh7qzkE1p4XKkMGsrvTtGPoFbKsz07ZU4sEXIqlr1_TYeFkwdclvyYKs4beqAEnihMn5cbQHdDT6peeTZvDoRvdlJ4K4MAJFsNujyWcC5DMyiCOBwWnn-I2iFxQuRcu6GovxT-uaFg4Sf25imlhuFrUxZzBxBP17gEwNx-64eP-_67QBBcrkJfxs54PTZSqkbAFB-jbJ0UqRE2wCYuVHRvWKlOX6amkuxdKOcGlHx3XJku8BccJZNBkGNBTIvkc3lMysOCeB5HfJDwfIUIuLwCk1hB3tm8NiWmtNnY6NcSGDZi1htncI4dzNGZHfPEHhJBXBzUCJcCfpeKPUNB4MATcztCL_jwfqP24GTqjNsbPsusrVOoBjYoCglljWwr8k2ltTj-bDR-tbLjRm-wkTF_25Gg8v_FvHEvE9inR43IEPtRdw6ULlwVIE-qLaYXhqPJmPrBQyhVCQLsUcIsMlqd6v9NVjIJxXRvmR5KcLJctOTykYZXOwF7Vl4fGNJT9eR11nzkVTxfTZaPwv--34eB6rZoJqJEG4IbyDJ",
+ "eventCategory": "Management",
+ "eventID": "c07943fa-79ed-4f9a-9bde-b0eefcece09a",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8408971c-2a61-40da-8455-3b5cb32e3b6d",
+ "requestParameters": {
+ "instanceId": "i-gjzajayb7tgntj7f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: HU9P8R2PArR2Z01od-GTeTwJ9fw_N8JCXcNkhA6psJfqSID4sa98rv3UapLRUBuHqmpY_xlLKyLSAx53FDmHmFpcVxr8_7U9ZF0cpa4BNP4o90TZx1aI0rRYJU_zZ0NapeIHGfdZwFFnCV00oJk962hfwW-ufpsJ6ZNBczV-5UD_8yyMUlPA4R5K7v9Wz21OZxLZwrKEgdj5XXdHpbpojqpCl_dgEyhGa8Jddoz8dj1cZcuAmv8BNizrUE3ro7A6wU2NSxVT0o8J105EVaWz6IXuucVfDHhK4uApI7OSTMmJkT6D5K1Vxnbgk57-Qk7HOPOBbIXQhqt7Rc4-d37Bour4o71o72KFl2KYKNdQP2qWtK9uAHk8zaxW2vhjwtG4P9mLH_UEkjmZgVlqTxbyCrY7ErAxJ0Qv37oYOQ0sZO_02fY9haXSXMedpzIbw_EUdSsxw9bPRSQcoeplA6CidjS366eiouQJOOB-iHhut2_70izsKLl0-uSpJO-MKWE9mwYGgVphX9UlhpBUVTrcWBUv3Rx8HE7IfO53Pki4WIsEtKS8wVJ25erdcnWSYMenJj4",
+ "eventCategory": "Management",
+ "eventID": "cf7fcd24-2c91-4836-b460-d01f837d5db4",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8c5edf57-8692-4d9c-95b2-fae37791fd31",
+ "requestParameters": {
+ "instanceId": "i-awmjjnq5sr691kgp"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: glknbRaK-8bXUVYKsSXr-q5ysgD55hn_KTwTFbjiPl-hGg2ErcgTWmFFDaGHOT23Qbn2I2Cwz07cgPqRLkJsh1mM3TAlZ1yIdjjeuv9cT1eX6tMqem1qrm8qRbWxi97j9KBGu2yHsXm7yHi19qM_ddWyutsm-NXqG2e13FsP8KxPrtQkxXQi4bvZ30HHpv4hqS6-06bUEbTJFbU9-PBuCowkQDXJs7EPuR5YhlXBWqoahCNXc6V_bOKz6rR1sJOD0nZvbIqPompZur2cyAItV0kfQl4SH6rzvkk2T2jVnDz5NU-xnvUJzN3nnsc3LXjOUsBfHu4_JQPfonyRqewfQ06vhnU3gzS_0TkT_VbEq-1PBmtTRXFGEQ9nPDMQuserPuhSn8P8o5dj9uwBaLR-hZPqN64-R1mUyWuQUh3RtkwI5MqEQFu-KSmZn3TDovoqZu9uayFJaMUzdyzVqpAyB5eg9ycClfZFgYchEACGkISXj1k5iyWUWr8lnVrPhXv5I3ERGvOP4gQl2VQS0SZx30DT5ReGWKxWwsElmxJeeyu7ZjsN0W-bNPJ9gBf23hRTrzM6",
+ "eventCategory": "Management",
+ "eventID": "ec79b60b-6bc0-4a75-bf79-45a42db477df",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9ab8de47-15e2-4e13-9a14-8eab5c92b916",
+ "requestParameters": {
+ "instanceId": "i-nzv1jjfn03nnujti"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: gEXNHHFUYw8y_MNHkGP-98XPXSVvkMEu28ZFGcP89GKZ1im05s9P4sCpRKtajVvAJzfILfA2xEmN6aR06VV6qdmstPr95kfAhvHsY0yeIjJHz1pXj_ZNO0Q9SiV-ZaAcjH9LK5Pl8muiUU2j5onTFYWbDW1IqS-myHOBQFcs3jUEvCxbdnSHwxmeVLSrHkZEbg8cWkelKkcyJokNcad7MWVbmfJNeHLaizgZfyF69MLAnHTAlC0VaxNd8m7UbkZYydMATTAMNdrvUxRhZ0LOq8yecg47kGfUUM8K-uZk0qzunzC9IZ1EGHHAQjtI9VEf9HskSA6ibh8j4BhfBguxnf6USGHIq7R9Igt5bmZ1fq-COIzGblYOecicHfilaPeEevmzbT7vcW-3dgRPK-zr04-H_0o7wyGU34mZlmfV823uG4oM0nB4JuPNd7Shflry7deP_3nvj-Aqy73d7GPicewhRVEKYDeFao0c5EevJemsepKqc6GDe-Tc6GKL5UBG8payl624Eq4NGHZa4lKuMC4t1Y3dHs1bsxu5QU2jLeVXArdLBstATsRblT-CXKDw_Is",
+ "eventCategory": "Management",
+ "eventID": "f2d94374-18b0-4479-8585-d24f7a58e3de",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "fec853a7-4df0-4410-8d1b-d86e0cf20bd8",
+ "requestParameters": {
+ "instanceId": "i-gz7w6xbdutwhlvb2"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: nKaaIO7OhRx8_gh9WeWoXY6JtQq4rPq82-RZz4uYdRG1pdkeJx75OQ_4cv9JyQYlF4vgjg1TeP6vSXcI14XZYu1DA0hgqnYqyqKFFPCQglgRqfKLTphNoCprin_-yalFcBYAhOyfy7thU8TNTKX26Eg1D9JRE8kpcomB9ov9PUQS1v_doljaouQaQXBrlh8YD5cWbHXlkf0Ahi1axtD4qCsz9stzfYLtxwr-KWXKPgwQA36-8j-vzgFUAFCvDMSOS_7IRUh662UyfPDRnuJeigPHeHdNSvdr9F9TH-Cht9GaFF_kFBKWkr-RkL0DYAOFKw2_T1g24bk_j7JYINyHIhS5MDihvlmKaAHH0Yoz_nrOI4gbdL60CH9Bhw8E-7t7cI7_Jqplqey3rTvzxMNVdpxtk3aku0as4ZAEM_LPElxfs8ZZmfY3-NuanGt0MFcPYxDmbaNFRhOk3-m0esaVTf8OsHCbeXE2erqZUWrgh3-96jx6t9hSQwdRsaqvzImXiX87EjO0-zKxmZlT98xRprqw_Lr-hdC3IEVh6wY8YFYjFOh5I4RcTO-bRkxZgH1Qfvw",
+ "eventCategory": "Management",
+ "eventID": "396d8a62-46e7-472f-b046-5c41a75ae61b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "d4fb9e08-37ef-4cc0-9d01-0dc7c694e554",
+ "requestParameters": {
+ "instanceId": "i-bf83vbyeoo24svtd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: nH73aM11PlKi-yyEWJlllJTikqqhwda0HamvlmHPY53dt3gaTJVbwGB1zVfdkb7oqY9N_9d-v9oqHixcCcMcOYBwBQBnJ-rVW4FxsjBI0pPSVYoTYOagpkUT7ceRLKyXWDgR70ylwVOyaKu7AJsCvSy_A2_bi2W8BirGWL3H7-Nyeu3LaKK9lL6olrz6qla9_veiB75Cc516dE-gsAKNm4jd_N1pC-WCMApGlCIYsqrv0j2gSKjP2SNlDaINPL35dcSA8syYNt36SwsgYVo3DUPCrad2W1fQ4R8Wim_GPLJwPYueFvttYNWEiPBj7sd_Zb5yLvPKRCtrxu-eYbYue1BWthbbxVoKfecgieELohPNj0MtdEjKY1kAyMnrho2QyOjdGpuX4C4gTeCytuDrunH5bDRKRtlAGPhRCsIfGFsrq-fTS_FhgDXjMc04NcJr4AZ9j6yGf4u6vMosWFi6Wg70n-W0AluNUBNHVcnXO4mvG09tBNLOmx66LwCs90A5_G2ll6_Py2vP3pXoVXUdG4rpJJhMwmVH7FYE2fA0fgV7Gr-f_yjzL-CiMiB3UNWlv2oX",
+ "eventCategory": "Management",
+ "eventID": "71ce0541-113b-4b74-bbc7-5ef364318787",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "12c55ab8-8de3-4d11-9cb5-771de13610b0",
+ "requestParameters": {
+ "instanceId": "i-qsdkik5t0ihwxj43"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 1doSO4EeN8VCyyAelPL_ne9oDrtREHT9ciU3ZTtSs1As1v3mEHCVpeUarJxr13AWmsoIt2_yTzT1NE4Ur1yK9S0V-B6omwpgEEnGk2ZPzhrkCqSRA1flcMwIKXKchWoDB4--TAgAfHyUem-MO9IRc4RIJniE-BNY-kK_GOR5BR7y9yTy83SMANMBHFgY_zDY3Qlco5B0jmuXRnhSJXslqpL7KlXdxTLK-j1gOFIrWpZll3E8WQdCw3Sth3Btvxgj98rNDa2vfqGOxIacu5PDLDvvDTD9Dad5ceUN5g5sYwbTZKX4nbRm7UC9kp_hN_heYILrJR68VF2HTGqOl04-T-aygq12V-WB82BR_oXAuZyOrTHoUw8H42WSiYb_VP_Se3xoS6QEGsK165umOB8-ruZXG0J9M4EZgptI7b1krm2VbO5wur3JTjY6m4kiNT0baMvI_2CGhP5hduu06rllFf4Q0hAqqvHC1wsqoEUe0A36xOj9RcKL_rxQ_XR8gnLd_l2-9OCmGk3usYbhZeb1jJboZclzyYXoCCfx-nJvGlICE9OP_sutVFynLyT9QG_-dv8",
+ "eventCategory": "Management",
+ "eventID": "8aa69c7f-117d-4010-b7ea-009cd1f4f5de",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9f89f20e-ca42-4d5b-afec-fa2da8f55fd3",
+ "requestParameters": {
+ "instanceId": "i-jcoba14jc619sc9k"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: RKjtBacdHpynSBYD2rFJAJyGRi896ep_wzschdrXXGuhTWwH1op5v_VJ1oUbV33AF8uOXxrkx7rjRJIBPku6lhMASNBInXuS-tBXw9GRd3fB4Yh6u0kxQZP95-RRCNoRGc21BTmVEegMgNPhXMG7gxA1HUJVcjVAwAbMUzBv1VEvYhHPsOm-SDbCR_vlJbJC3dtDLetZuxLoTTrcKhMMU3pazWx_MCTEV5Fn13SJMV13Hmoi_x2JrCUfAVZdO4bDePX_kyk2H9XuBmiQAg-h5Ba3HvkUQP-wBNC9cQ_Ji37Vx8oBQO2SxdqXiLHbx4W3AaI4ag5iDuOURa12a_xoUAUrP7RB2iKgr59mpC6IK8JUtDwRlv5jKYwfQMC3TtvvDtTmL3Ljxoz07_fgCECADIANklTbTKnfByZZ8XWzURr5mGxHAQC2GrDHaoJpt84x-k-9-AGNEVbOFycJJsDOfUSTQQvKIBq2CIos8bKwnZJQCVOYCwgHDqmhXyS8KaQw4OWQleQKMvfp8aZ3Q9gFxlSJbo00UqiAIHWVOUl5xhL0reKKGrL5ve6mBnQAVPY93get",
+ "eventCategory": "Management",
+ "eventID": "9fa0f6c4-dafd-46e6-af33-264c70b79add",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "894f1727-ca4f-4376-8313-51b8e5632526",
+ "requestParameters": {
+ "instanceId": "i-yqe6th46jb26scec"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: PYyJbyooe4ak6qMgask39P0gOiQ5cBbfHnbhq03IU21H-MyHGDAfqvf1w1AR8zTvfPeYrt-zWX8A_TTHbJHBMOEBBMVtdxHIVHnIPbOsU36JnpqjT4T1uarOliX6ViEkBvKm9wtPKFj4XK6xv49tdy8WomHqDsukCmOldH5KOIBDFDdLZvvsPotW_GA-HKR-FjVoRi7l7HCHDad5M8ruK1g8a8nUBEIKqbOexvpZiyJF9yO0I05X7nR81yYvKDAN4Y0n_VKUlMyS8nLYTWJh5RCzweie8uT3unJDHS24dvk51sEkrmQvh3Kpw5EADofCBWiTabx6zdoPFd81WpfOayEli1n2FI5zzeROdvIbiNlvyKjVTmcgsXYphfjbgOLeSU6bMF68_SPURL1Ua23ZkwkebQRav40J4rrnFgVWHuZbvAeULyWDEDDx_10jB7leB9Z6yAVlBqL8RNb-xsAKnk5dmvqsCsT5P53m9kC_g4389oV0LUahYu9c9fIkrj_3DJ3mZztALQl7l6fIkT_npQfg-QqfZx--t2sQW1gfIKQPXkxmsdQhdvXWik74wd6t_N4",
+ "eventCategory": "Management",
+ "eventID": "b8a37387-6dd5-49a1-b55a-a491a0bb85b0",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8fc4e269-7b8e-4123-92a4-0821283c590f",
+ "requestParameters": {
+ "instanceId": "i-qivk0oox9ac6grv7"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: FvDsnEXWiuIoaTAltof47EUVg-dVIlwI4emrpGlLM9ElSpuAjv-7LPppbkJa9spadx-PCqvteb8TjhsI6AiunSA0tCPufgOiRyIioV_HMK1Bpj5ieQYhUIBJ-xUJx3BlwDu3aGPWRyBJNe0J3aqqaPFm5uIA6OmeQol_Qi_LCbYkcJUbGuWqxg85kE4cP42Ev9_dZW3xvUQgbvEKZGVbeVxQJQTIDChBXifHRxOtUaykG196i6lg6xR396OSGs4mfq-bdxNKYAKssZaOvPOqqf-43f260zDUmI5OohcgrPSfNBrGIeXzMUChBd2fNzIXA8-8InOL1OqD55FB_cDL2rhx3hqdCB1tOhxjUNfZTAAsfOeD3QurNUew8oEUP2LE4x74vtWeSR5JiZMWGFPWxoX9cycXnJ9enLY5JePWDEmkF0toZ0aFzAYha08QhpXD1YEVWu9C8ZkW4aa998ZX6C2nP7GInZtN8CBM4BlSi5NAHYpZGUl_PH7YWlLGq54JOMh-JbQ_FiGms16beBvJqsJyS5CGvYoEEnjtTEYDrqxULD0UhxUN8LsJmYOZxw9FrOI",
+ "eventCategory": "Management",
+ "eventID": "c1e66f32-ddf1-4e85-9a5c-9b11b09e2d06",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "98a10bb3-07db-4576-9edf-73d8d2e37460",
+ "requestParameters": {
+ "instanceId": "i-n2d16wuklpqfdsr9"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: aTrFQVq-TlNHs1qYAG80Y-kgjzT_ie6zqlFDxIfbXqvyqCsVEmFK6CieWIHOBEhcMEsDfmEpudkmch0OKIeZHgCYKrzIzp1aoHfAUFeUvUaAbq4SZLlLjeCOpOrFgCLROeGzk2w55VAxsC0JdhAtI-IoWOsE3CjBDJ2oJO8KpFy1nLVpUA1VU_sJ0cJudc2a381zduNnnKJufvt_xr19glMtN__HERdIWJguV9NinCtviEFOa4-Ipzj7Qd6zuQ_rYAEmM9jkAuEdOfl-1fBJ1rouciEwao3Rvpz8mMV3bkzVEb8pTKIn5X5vp57v7Xapb8ZP08UpGeswPz1u5ybB__EgmHcW8JS0Y_iWybVslZTruLarO5JbkIlv9hE7viVbyfvXmnbrnlRQHYuyS3Rt6aYmvdwqqMjd918qvpI1rWeILu2URb5M4dK1vNA-9AxvAUMZSGViaJxncd0rcnDPNNUaSQX8bjetu15TeLS1G0N4fdqD-lcY0Dc_NgjNwYTcg8uXXXLLUKgJ1lKpkeEeSXNImo2X_DYTwCj9xkLPZ2qlckqNeLokUqdWl6sDZpHAyPY",
+ "eventCategory": "Management",
+ "eventID": "1078f3f3-e72f-42bd-a0c8-7f321b5fce0b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "0bac5486-48ac-4ed5-b3a9-c094ee3a7304",
+ "requestParameters": {
+ "instanceId": "i-bykprumj5lnfe4oh"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: IgBTWD-QgF4jCm2kuMMIXUGemfMfC7Hd7-UTvXmtYd4amt7MbUaC1FT4ne5XMwGaOq59YgFlane0ICbGs5Fy_zp37XvFqEVbrlu16lxiqVhgghuL6bH2jfBuuqWOGrfFNDbgXSNhZNHhN8pQ4Zhg_bHJi1jcx2XYlnN-BKy2_5vRT68-6xVl-D7MpyCh-J4PeuiyIJDwSWgT3UHzfMapPfMVRUetYSgGeub_sxMswfiR1dxD3PaUgubNNzjiTIeoElqxdELcDE_1V0RC2hKxuq1-kj5hXl4_hEzmuicGynwhkpXpP8W6u8xq-S2v-of5N5uBeTafwaDAtGIFprBp8smR6X3OeyB72nZVeyyaeIlL3uD2WkhX0da21OOGYRDTwbRBazStsugyvY4MnJWu5PCk0q6XHptm6qyL8nuUfZUkp-NQp35CKx9HaBsuLdvFe8dpGIwy5DlUes3T4IqITcZa2tA45xfeGAqo93G0LRZgQ3PMaJvTqW5hgN_6XXvt1_P3B9S6SCVMyR7Gu5mdG6fjbDKtIbWfeFz17Wd0fDSHfoaT1plivwSgZrkgnioCFQ",
+ "eventCategory": "Management",
+ "eventID": "735eae92-16e3-469c-b454-4507c47aadcb",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b195f9db-6777-41a9-8797-2df84ebb07dc",
+ "requestParameters": {
+ "instanceId": "i-dcw41yq2wp8h1d58"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 3Whk6y4yZdhA0PAEz88EFn9PqfvCo1S8surcpaXE6332jpdvRht6VTm3WWdOCkQ2mUq-zXlY1GimOJW6TJC9SkPtlBUAH5KxOFAQPMymWzNgU606sUYH41P7t63dp_F9_pVVO3gj22FW0qv1ZKHIIayypQ33bHS8lT3FQgqZzy6mntCT6OVSYJ5KiZEMmPiMLv8nVcGPoKHQErgjMcXWtkSuuI4tq2xhQBjdJlWgHDNv1Wn0M1RYy7_WKYkgCsoGlWSb10XMexgwl1dpmhODFZMA-hBbQZC_S9tKE3sTsuIppvqIW_SFY9WLdeI0_GRtjBt9hHNKBFr_V4GmNFapSDSMjt-w_OeWAC4MqmeGR_adqtMSIiamRHXtHfoEK-0M3c_HCIAl14XBPg4pKnCZiCutGk6ak0AVJmjz7iBWtkduRfBy1yk_7iXypjmLkUC2dCGPe3NYIm-hYMrlbqpFnZmyQf54by9MLj_I2h2Rjf0RXoRhFnwURyHtO_D9-jsWNfO-qgq0VKCg1gqFv5NUYfUQKb8CNALzxCCEjQxrgT-nkftGRxBNpLSs7CEwkyqcPg",
+ "eventCategory": "Management",
+ "eventID": "73f28e1e-7fe0-40d2-94a4-cf42930e8b0a",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "de6fa24d-5054-4525-abe3-a210b4993b1a",
+ "requestParameters": {
+ "instanceId": "i-okja04dckx6yg2uq"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: XsZyApBJAXhkSm43yz8Osvyv013N5Y2d1rnNlbOkkajw43v_w0IpDACr9S1GlpC_FLYISw3CunlllRJn4Q5GZJX-sS88rpWFIWTksDCKwb_a0hpbcNTqERnL18B_VOC-aOfl1QyYqmYDcGKISJl8jp5_uUMV5A-IFYEMGskUfbxpQE1rtIWCrXGPPnhWQn9gHA5eBhZo63LTdhMHKJenjj592AhJ__LaXaxeg-iW5p9V96uP9nTGiVx529QZlVPNWVmL0w6E5Ub2r7IKYQkE3SXYa6bs6IhquB4MAt8JMnO0YaPRnEUxVOdBPa4isE0Bgl1C5-8NQZ3uSPQiu9o-udWYVKbx0xk-jlLz4xXbAUsCZnGAsgFf7WOPg2icEvol6a5a-cAx3OQd_-BAI6rD4OdquHxo5ddPIzGsB8rDfGfrh7h4-JiAxTWVJ7ZlFC7sHcu57SSceE05R7ez9x9weIbeqmVz5TFLYnA6i4jyI0cRAaZYZ4PWG3A_dH6K7caomOrHVcayeV1H88kfma5DprPaMyo-hIAewgXrmSQsIou95sA3P8WLBtUXI4rqUC6vevg",
+ "eventCategory": "Management",
+ "eventID": "a8d8ee73-2a80-4d03-ae6c-42e2964a5e43",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "a14a2932-ca5b-4aaf-89fc-c4d66708fc61",
+ "requestParameters": {
+ "instanceId": "i-8hy3natzpp4ef7ri"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: SkMlzz8Ec9AftDBkf302YkfKSCGS5zriIUZMQj4UAaXyX5B74Fg1f2f_IgZ6EdUNcmVr9A9OzxE9WmNikuJyWNRCX5Mjy_HRBg6VrxjWuSoUPBll0nWbIww-1NehYMVHla3eLDBA2KUsuE0KJ0ZAa2Cmy1LsT6kmbQ3PHK0a2INProm2fWi_k33oJXOTapMy5V4eVKIIWsCxWrFHO7o1E72cORK789yeKavJsP86tYGHdzssYRpnNYK-4y_YEphKj3Kc5NeOs2thecEMXiLPyPXJYzlG3hzDmd3vU-sgbC7t3uCPMuw0mdRWvd9QaNKp57dAP1Bl3CH6CEo2iGuftLyCA32dzTpAG1khB_2ct9Yodq28M7j4Cp5hC0q-IDpUol4hUjeoxN7QLFzrn6IpFuvP18PlJY2VyrMS05Mc9-Pv0HW6cen1p3ooH0qHAlvsG5LO1aNX0xacTlHAthoIjziAAXKD2AQBVtbo4rh1ds67tcLvaGZGwhv_uyziy-UYeBU_ENloIGFMmD44m4leqoXQaessC56tbFWmJEseRQtHxuA0rslcPW0l2Y4EHQ0Hdg",
+ "eventCategory": "Management",
+ "eventID": "afcc764e-2db4-4fe2-aa74-85d01843d7ca",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "36fd0bf3-e2b7-43af-bec6-dd9df405c462",
+ "requestParameters": {
+ "instanceId": "i-ymn0oq6iadzm0v0t"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: l58oQoHuiZkxwnQ_NKmt61fv2TTDkDEIIZRKFdxXk1cbyA_Mz38ZetF794KYJVPv9zh-UC3ZtvX1WJJnAKIZXfjA9Cy1i8lSj7zHv03E2MQ6w6I16hErXuvfbNCOIGWskZ2_H_-p16hqtPGz38n9ZU9BTXPUScqUcA9u2vi4aHfOyqBJTl85vPXl0PNX0rSCNea01NDzwQrdxme2UyAiuFEa4CZceqFpahDKOA5S3tZm2OzBJaZdeBYTgUwlcJYmM6iEXiC6ZGJsi3IV-rcg3WGMFogLXp_tQTlfMcjiPqO9v-LGyypMT3aVCWfzVTnJrDk-7-S7ue7zuTlN8y9LHWTaQvZFf6vAMEe5o8DG-W5cEBoQu5BgdC2yLJk99q1wNM1hCM6xSx9MI1m3Z4FYQkfTg6okRUBJiXClAlWVDXyS8r6KqAog1bNB3XorSP5TE9FgEq7stZ0DUzNvYqHtkkEEkfS1PWmsxPFBm_ew1NPvAptqzn7dci-Xo1XcqWFxqDcQEdblBhZGweU9OodEznDv-CkI-iO54_Zn-fMR0WP58pSgNxiP2x00PR2lbC2WoOly",
+ "eventCategory": "Management",
+ "eventID": "b5da67b9-87fa-4151-bd9a-818f3237fb91",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "a7cf65c0-a900-418b-99ab-a5d2ec35eed5",
+ "requestParameters": {
+ "instanceId": "i-l2yrvbrcwc3ytkcz"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: ZUocdTACiGX76lWaShcYz3NiFH7xrcQLJF4xvkdVwj1YRi1LCjXrOGw99KaEjQryXTvxQl8mcoL3NPIH5bvnNm56e4dz1U4_VU1Kxe9GM2GOFvI8Dtz4yeL51wDiwFmt0g9Bfy90J8IevWimq6H-qiLNMbvL8s19Yxe-IPC4EOExJ73IGCm2M0L5Kk1PI1FNzS0V7JnRS53ZBBovZxoY3iJ5KDZ0IJMTbemzqT4uu4YCPzcsnHolRL8LaKniskKGZ4XjVxD3b5pybZ26C7DE77Wq67rlhNwJyRM8RG12tety1tw20hwblshCbJUw2YoR-_UffA4ZbMMDMSS1OkxatoynUOee5zTrapuKfsI592sH5SNLDH2nKzTMu75snXpwMEkkarPJR1rya1g7BQjvB7LcE8lnQV5zwXjCuwLx-yZrDNW6sytsvLt8oS1ASdIJlZk92V1rYCRvBBbMFgIA-0eVACBwrBfrm3x4AGM2YWBbtqtsZUYLr5Ofr6gJWn8xd9Ve-KZ98feGVI0hGzX2RMFbEDF5CeaztSYJ9VnOrxrVH1Cc3oE0GbRcBikla_4vq8_u",
+ "eventCategory": "Management",
+ "eventID": "52242c8d-7ef7-4165-90cd-621ebe835388",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "0436a948-0d62-49b2-a53a-07f590224fbc",
+ "requestParameters": {
+ "instanceId": "i-gspajwz8z9wrutsz"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: X7IcIBBP37fUlSTM_9cAnZKJ-zTlv5zmnaUcLS5lQZQfMyq3jfoXbih6NSCKKrWRnPqrCRmxo0uAw7ZIx0iLur5x7fvQq5hq9-ykkM9of1GB6aycacQC7yDzZmnFm8EHAoI3prAsEtL2e6DXtfNjT-XT0V8n69-2o8DVmh5gT7J4MZbfZssfRF-kdyCH4V_QVSv9Greh1Gnluz0EmztA6YAMhPCYG9cXp7GFzeQmQswsocXIXIhziu_UrwFb8hWZRM8Ih4ES3pvcZwzC6UB_bvSMjsVIjrJpNKNhmSievgN-MZno6buBDdsVz7pRCJJzFzvhsdj5S2e-I3jfTTfucNpyZB_xpyuSCghSW63oYi3mL8ek-t5h-sx23hANg523FIRk9w9YI6mmHiK74cwO-OUHgFNd8KERtSXHUBeno95Tp4ONhO6wSXYE6pJj3IevrcmgoWu8IHni6RbNeTC8h5SWb3sknXmdQzeN7UwEpoEEPhWtegFPcX0Zo0vOTb0oawDx16Y6eryN3966VgE_6nuDuCPMSESJngEnXZgtxLDDx4_lVymADHCS1G2vdh7ATuk",
+ "eventCategory": "Management",
+ "eventID": "a9da1fbd-464c-4b74-8c64-96eea2564978",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8fdbcf53-b574-44a8-91c5-b81f183c871f",
+ "requestParameters": {
+ "instanceId": "i-ce85lye2frdpml4s"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 6Vmm3_Z2lje988np7WwvCzM0gOYUowRA85YdDAIV3rx8y1O2mvqd1bWvJ0Uil_jPCbaRHVGEwnKbxuOEgMThvNpKooEdt2KRMbgEhUvfsdBb_l-tT5d5HM2wGr4t9C5u6uSIj6aJPYtvNrLSYZRz5oAFnjuoJb2m_T-63qxhnVpYvPswmWAUBRhHN7bZs2UVAGUF51CZi0bIB007D6MEkK7vijtzB54oBEZhedPhsLG4axf570Oh7fHoXBKy6AU_W1n-giLzqonpoUsqVuV5K7yTdpJpt0CKTPRYpkJ4ExOF359Q73q0aTd2aDnlWgryBSDVQQdJXHz8zoBOtVF3bl46JK0MTriGclPhz4e-k48Bv9gTMLsyasPIYbf5OwgkKgSrWa4e48F3QRfi4jMe_P9NDIKYQG-vFTyu0hrVoZWbY5OonzJTqYpgkmI1YgmZgKsKIFuKbO37QtAbLPQFJln1vc8cbRbKo3yrIuhiJ0C-lmdr-9saiOkGbcX-iPETeVh7LA8RxbQi74v7AVKq4y8T73bvP3sgiOxaHGx_KD96E-lY_SBy5vvP7EDNUCJO4zHw",
+ "eventCategory": "Management",
+ "eventID": "d2d44fa9-f50b-4877-8a52-9e3855029970",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "2e320d8a-8922-4741-aefd-86cc33c99f2b",
+ "requestParameters": {
+ "instanceId": "i-z4rfvoc4sgtoirf6"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: H_1M2f8fBtX-nKWuNweECYRadnJgTd8yB-qZbnIYTBwsE58jAcA13xaXwijpN2uy4ksDhtIwclLwy4y5QxG82pYgzDWogJx94y_UP8_Sb_MTS9xBuWqjmelx0Z0QrF65xf1J79Gj67jI01QYDjVjuIPHR5_ygzq0QUzNU28lcbPiy42MY1GDPp24x-W3HVPDcnOzfTdqV0T-rKp9dVHwNB-lM_OPx3awGgOkofGAsRcP2aduNxYJcATRXhoTczjo7Lvz5rIKp3u5rC1JQDXAxnJ-8WrxidXOcVnTup5nNrkWIo6ACaoupxIf86yS1nJ6drtfU-r2gUuBhduI48K0y4PHP-2AFf-U201axMzqCYZsX5hnWf8hRxa6VLKFMJVsxsuFxZUVAAwm5K2NsEkzHh9T5KWWR2vO7pxFp-BgiarX_5ajJyVeTmON9LYJI3Gqit5eCV2F1mC8Cvy-jvWC88dt_qKzSTKtb5RMwAJZ4HivEXqp6iCdlViSJXbRGK5C3odmUCzGMUs2wV6fMAAcKWinQobra0P8Nn2zzKk6Zqx-ikgMwGDLZ8C5FZiNpjVUrv0",
+ "eventCategory": "Management",
+ "eventID": "f1e17321-830c-4761-854c-158258e915b6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "faae9c16-fe9a-457e-a12f-41f71b7469f7",
+ "requestParameters": {
+ "instanceId": "i-rbn1gvh843rzs87g"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "d769ddfd-2cda-4cfa-b33f-05d3b886921d",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "556ffdc4-27d1-4ce9-8932-cdca27641708",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "roleSessionName": "aws-go-sdk-1722375070115152000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "accountId": "457448411975",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "assumedRoleId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA7RQR64ZW9JXKWPUO",
+ "expiration": "Jul 30, 2024, 9:46:15 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEGYaCXVzLWVhc3QtMSJGMEQCIGWKgbykBmpvw3C2tHFJG2Z2EFmm8TFxSMzImeEIU/ZRAiB0qwHtoIdbFspr1VflqA8ScX+dd4rMEEsERlrKK7oVoiqrAghPEAEaDDc1MTM1MzA0MTMxMCIM5ByNCGn4qrkq0GCVKogCwZslL1u9JTIgKxy3FLc5DbnZJDGn8rXDgSa/ePdExCGfg+0jLmpH1UB9bjdXgqf3fVywvv9n3dKO9oI53KhIDxEnt6jbv5g3l4THATYf8KSx32wBKxybA0s5DLSV59jQwT5iFtHZWYRl19ntvhGoi2TlcBfN2QUlR5NjfedcUbpV5hSWwRtU/6tX9PX18qAJxsFfg2zlvgApf93ndSh6esupNF0stzaVzroT1WwSqZDN6onFk/7aZ3bFHQePjWT4l4e17hRbshVwqRNtaZdAIkR+qctOec1bOXRyqk2Fwtm3pAoCF7zC4CmBhav8XA7s2ed7lGI6ZqNG4h44J8lgVuCtf7v9Y/OEMKO3pbUGOp4BWl8lpF5zj8RzOSvPSmeOfCrHx3IIGm6P6Qa6jhOGCWCPUMEGyq3BrXnmBaRrnhTDzErvVJw2ZB9UV+ynLeTwWTC1dK0zYV+6h1wrLFAq2HZEnn9nW2Q4mesr2YicUASap3zWz+28xjIm5+WoiEuSJyirL3UznA4MAZxc1wf/vvuC47vx3M/4X76F6+zGJeO+/VzuwwfkqVYMo7Kag9Q="
+ }
+ },
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "fd179e25-9f1a-406c-8d7d-62f9d4938ef6",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "880bf8cc-0787-4c2d-8564-3f4ce8946109",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "roleSessionName": "aws-go-sdk-1722375070115152000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "accountId": "457448411975",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "assumedRoleId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "expiration": "Jul 30, 2024, 9:46:15 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEGYaCXVzLWVhc3QtMSJHMEUCIGm0kj47xAVKg25149QY6m0tHI8QKHcgIYPKJNYSkt32AiEA64SPa+BDSMJXiGD0qT45dx3H9Hj18oeXyl6fq7G+e4gqqwIITxABGgw3NTEzNTMwNDEzMTAiDJfCBLDTbEWuUNcbICqIAvzAOy3GNiobaWkep5/dAzk/rl6x/Lx+QNE+tUQnTU9xpJWQ6gl0uOxfQaQCingQ6Bwa7AYCIwghP0p+ijLHzj0WK9w6X1M2HgqcLIWaqarREf1xyOsPkFbNsML+1cw50lcxSCEXlQnkCDAGE1cI0wInkycEBuxGFDckceXf4whG9QzNW/jR7fDuzsN5u8GI4UsP77/oa2HISgg6wUT2byc3ni6+YruVQY//2ffKPfQyf1L9RmssxoYGb9t9iazDJjKDunKKZMvMEan4F9+acCbIUrBROgZ9Ays1D1DLjunCfRG9xd2fZ/boG6alhxNmuck39UfAxF1zyLAs3zmdWcQT0Z2croAh0TCjt6W1BjqdARs4DLOAmVNuEmRq1kvuWtdN8C0Q+ObHWUjFYQbcSNyEQOGz6pegmGbypeI9JSgxR7z6GPrSQS1yNWD9+Cs3LNl4Xr/zVmjDYDnVepIWDZ8xYofwlg78esvHzBbdKoKYt7se7feg1Kpyi0UT49BJvpUul9h1PGoQHF5zmVDA/QHqfoq5Ykv5haahEewaCSp6tvgljHXQ0xFDJv/+SIs="
+ }
+ },
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::457448411975:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "eventCategory": "Management",
+ "eventID": "46558847-8b84-43de-8c96-302aa4744763",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "bf47f64b-bcf2-441f-a1b8-9cbaa241ff11",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::457448411975:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "eventCategory": "Management",
+ "eventID": "8a8844ff-dc95-4ef5-87d2-d86cc23fedd0",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b3f190d5-4701-47ef-9fb0-76e8b7877df0",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
index d5fe72b5c..05bb1b726 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
@@ -48,3 +48,1861 @@ GuardDuty provides two findings to identify stolen EC2 instance credentials.
See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detection/steal-keys-undetected/).
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ssm:DescribeInstanceInformation`
+
+- `sts:GetCallerIdentity`
+
+- `ec2:DescribeInstances`
+
+- `ssm:GetCommandInvocation`
+
+- `ssm:SendCommand`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 90 130 170 210 250 295 335 375 415 455 495 535 575 615 655 695 735 775 815 855 902 936 970 1004 1038 1078 1118 1158 1198 1238 1278 1318 1358 1398 1438 1478 1518 1558 1598 1638 1678 1718 1758 1798"
+
+ [
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2a5178c8-b4c7-44ba-b066-1ecc79b7087c",
+ "eventName": "SendCommand",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "017622104382",
+ "requestID": "ff024f6e-78cd-4f36-95cf-7179c6421e32",
+ "requestParameters": {
+ "documentName": "AWS-RunShellScript",
+ "instanceIds": [
+ "i-786a3A8B5C0d92eF4"
+ ],
+ "interactive": false,
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ },
+ "responseElements": {
+ "command": {
+ "alarmConfiguration": {
+ "alarms": [],
+ "ignorePollAlarmFailure": false
+ },
+ "clientName": "",
+ "clientSourceId": "",
+ "cloudWatchOutputConfig": {
+ "cloudWatchLogGroupName": "",
+ "cloudWatchOutputEnabled": false
+ },
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "comment": "",
+ "completedCount": 0,
+ "deliveryTimedOutCount": 0,
+ "documentName": "AWS-RunShellScript",
+ "documentVersion": "$DEFAULT",
+ "errorCount": 0,
+ "expiresAfter": "Aug 2, 2024, 10:23:24 AM",
+ "hasCancelCommandSignature": false,
+ "hasSendCommandSignature": false,
+ "instanceIds": [
+ "i-786a3A8B5C0d92eF4"
+ ],
+ "interactive": false,
+ "maxConcurrency": "50",
+ "maxErrors": "0",
+ "notificationConfig": {
+ "notificationArn": "",
+ "notificationEvents": [],
+ "notificationType": ""
+ },
+ "outputS3BucketName": "",
+ "outputS3KeyPrefix": "",
+ "outputS3Region": "us-north-2r",
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "requestedDateTime": "Aug 2, 2024, 8:23:24 AM",
+ "serviceRole": "",
+ "status": "Pending",
+ "statusDetails": "Pending",
+ "targetCount": 1,
+ "targets": [],
+ "timeoutSeconds": 3600,
+ "triggeredAlarms": []
+ }
+ },
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1d6a4901-4b35-4e4c-8569-a15fde667507",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "fc69ddbc-31ee-4435-80d7-d5186c01d2a1",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "8b5891ab-9638-4c56-aa27-8c43dacbf6fb",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "968528a1-fb69-454b-b895-87df48493598",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "a4ac2342-6c2d-4d54-9308-e20b7d537063",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "48ac6ca0-0d3c-4cca-80d4-65cca1e7cf50",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "8aa86ee3-7789-4248-a0b3-779a720a31bd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:42Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "1a8b3f8f-0829-4e0c-bce4-a28c0e783f51",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "b379479b-05c9-4c3c-af4b-cbd43acf29e1",
+ "eventName": "GetCallerIdentity",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "e46e7e10-ae9e-4170-b205-5d327c156416",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "ASIAP5CT9NN8EYVU1FXV",
+ "accountId": "017622104382",
+ "arn": "arn:aws:sts::017622104382:assumed-role/stratus-red-team-ec2-steal-credentials-role/i-786a3A8B5C0d92eF4",
+ "principalId": "AROALHCCSKSM395EGX3XN:i-786a3A8B5C0d92eF4",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:20:52Z",
+ "mfaAuthenticated": "false"
+ },
+ "ec2RoleDelivery": "1.0",
+ "sessionIssuer": {
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:role/stratus-red-team-ec2-steal-credentials-role",
+ "principalId": "AROALHCCSKSM395EGX3XN",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-steal-credentials-role"
+ },
+ "webIdFederationData": {}
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "be2ec885-070c-4fc0-8c5a-11e8dfe65351",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7f6ff28c-e7c0-4634-9d18-1f3e6157a5f5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f9d500d1-d469-409f-b8b0-b0fea46b927a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "b4d8f210-46fc-4ca3-b03f-065a49cd9dbc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "501997e8-265d-44e3-92ee-228e7e155cef",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d76263e1-e1ab-4da1-9c74-ae146a06a390",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1928dbd9-a8ff-4965-bfb7-cfd7884933cf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "db31fb93-2471-4747-bd7b-0aa6d2ada9db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "48c0979a-5d65-43f7-aa41-914d1ac0348b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "c8f99ffe-e27c-41ab-84a4-9be8d40e8e96",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "73e1044f-14fd-4e57-a515-5fa1b33ee465",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "5377091e-7b64-4951-8d5b-38f5e6ed733a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "fbe51d19-8701-4214-8715-479c3765fd63",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9eb25ff8-973a-4bb8-a12c-2b27fdc5f434",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "0ad6b57e-2afc-4cbf-b618-b412445b3795",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "fd973fdc-43ed-418f-bd56-70c7bfb6beb0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "ceffab54-0d57-4970-b1fd-6c735c624531",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "13bbbae5-9186-499a-8613-a50fcd752cad",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "abe4f64f-4edd-4269-888e-bd53a143a2b6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "a475561e-0013-4f7e-80e7-9f2067b4b4bf",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "46e1e497-e386-4b89-9769-7c8d94d69c74",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "8b440237-44a9-4cad-8115-1d1015b9e7b4",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "92804077-0177-4385-bcf8-97b0291538fd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:44Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4bd629c0-ee97-4b2c-a779-2451cd91213a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "061a2c00-e72a-4126-9487-1724c2f6a37a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:40Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "f8b97bc6-cf13-476f-9e1b-5f005682ad9e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "57f3b958-1c3b-458a-b60f-52310b597f49",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "32a9ae7b-8cae-4b6c-93ff-081ee7a5355b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "394cf343-b9cf-48ce-8a94-e188656ae8ba",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7b9d34cc-91db-4ea0-9290-2897ad31b037",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {}
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "ASIAP5CT9NN8EYVU1FXV",
+ "accountId": "017622104382",
+ "arn": "arn:aws:sts::017622104382:assumed-role/stratus-red-team-ec2-steal-credentials-role/i-786a3A8B5C0d92eF4",
+ "principalId": "AROALHCCSKSM395EGX3XN:i-786a3A8B5C0d92eF4",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:20:52Z",
+ "mfaAuthenticated": "false"
+ },
+ "ec2RoleDelivery": "1.0",
+ "sessionIssuer": {
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:role/stratus-red-team-ec2-steal-credentials-role",
+ "principalId": "AROALHCCSKSM395EGX3XN",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-steal-credentials-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "a03d1afb-d68a-4e53-be36-17be89b1a3ee",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d77be684-10e3-4da5-83ff-80e4abaf0818",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "6a96b70b-0d0f-49f1-b649-b1531d02de50",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9d0811fa-d945-4191-874a-c093553b3401",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "7d7d6c2a-6ce0-40cf-9a83-9ceb78feafc3",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "705c99bd-7db7-434a-9678-5bcb19552940",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4bbece4b-580c-4cfa-8b01-344774458f69",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:25Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9116a326-23fa-4f00-9f81-a52882bd18f7",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4b53af24-ec46-455f-9e60-f8f11235d226",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "57fdbc28-0188-4e33-8cc8-da4e0b474c52",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2cf5bf3d-8b05-4083-89c8-d621fb29d315",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "dbf6c6cc-b01a-432c-a4d2-001e24ecbc4e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "d0239fee-4dc5-4935-b2b0-3eb443760174",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "b75f1639-567d-4ad7-9b23-0912ada17f5a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3866bd7c-83fc-443a-8390-60f8037cea91",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "bf30e76a-ab54-4d13-bed7-ad994be43b7c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "797de410-d0e0-4acf-b717-5e67ed39a467",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7f890911-9b8f-4f97-876c-524b6d542b71",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4c488fc8-23fc-4600-bd00-c0d51404c929",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "468b2426-d0ac-43c1-bd64-7f73ea91aa63",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "77b4b3f1-c381-4bbf-98a0-eb420141b8c4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4763a692-3f7e-4096-9006-cde225a71111",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1323b061-297d-436c-909a-2052c0d47e6a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d9d0901b-b977-4767-86f9-821ffcecc364",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3cfc7a2b-1e74-4292-8724-8dd29e0528ab",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "739b8f1d-2162-42b1-8187-0355da517057",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-SHA",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "d7463a04-25b0-4eb2-b329-867c6f6e6e17",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d45d33ec-f498-4137-88cf-4f04073c269a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3578680d-0d63-43be-8bd5-484b6106ddfa",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "5653fd0f-27ce-4ac1-9ebb-d34389b01946",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f3e31b50-d1e9-4e4f-bcdc-e1faed911fab",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9e812fb7-0757-4659-aa0d-6c41bf6f7970",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f48f89e8-af3b-4dea-9c5f-8f26687ade02",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:07Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "6d3d584f-5f25-478f-8549-78c410db8d14",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "00e9b1b8-2b23-4988-b872-bc650469750e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "6c1953b3-468e-43f2-a058-2c6a926480a3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "9a691968-b92a-4218-8c3b-f9183a2db5db",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "58d7aeab-490e-4a1c-8803-5994b6ad3e9c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "9e3d2872-6af8-4137-8e17-276c8b34f357",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "72b94fe4-c828-4bdf-a002-7d2af722d687",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f37811bd-6506-4785-b8e7-3a67885d9a31",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "3e2526bb-b0a8-4bcb-ae3b-5c88f6c04f1c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "65965073-1feb-46ea-95b3-c7b90937c70f",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "eba9f797-3323-451c-93eb-f3c57269a524",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "e805f60c-ada5-4dc3-9f4d-636a9978b30a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "80f88172-f800-48b4-94cb-d95cbecdbc8c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2a96648a-6f8a-4faa-b5fc-432fab0eee81",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4f2d4d99-274a-4133-b122-abac714570c1",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
index 965c7a586..62d63cd3d 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
@@ -96,3 +96,221 @@ The following may be use to tune the detection, or validate findings:
- Attempts to call GetBatchSecretValue resulting in access denied errors
- Principals calling GetBatchSecretValue in several regions in a short period of time
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `secretsmanager:BatchGetSecretValue`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 46 86 126 166"
+
+ [
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "61619dbf-c10b-471e-9d78-8199a2f8233a",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "d493c657-4004-4105-81f0-8f468ba0c9b3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "7c7a69f9-867d-4b5b-beee-7fe62ba34d5c",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "6b6e2935-39ad-44d9-9a62-eeb63e95bd69",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "cf4e352a-b575-4003-bd81-0c531f42e626",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "cd93c41b-cb19-4a2c-9f35-6a1becee24ce",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "bddee0fb-2541-430d-aad5-b1fdd5d419f1",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "6bd1a472-24d2-46b5-abb6-83a9caf3e3ea",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "cdc49957-9518-4ab3-a49e-b5a7c17903e6",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "be2e79d0-ef1a-47f1-90b4-bafbbaa7404c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
index a133be9fd..0aaf4c63b 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md
@@ -44,3 +44,724 @@ The following may be use to tune the detection, or validate findings:
- Principals who do not usually call secretsmanager:GetSecretValue
- Attempts to call GetSecretValue resulting in access denied errors
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `secretsmanager:GetSecretValue`
+
+- `secretsmanager:ListSecrets`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 39 72 105 138 171 204 237 270 303 336 377 410 443 476 509 542 575 608 641 674"
+
+ [
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "b9c3d881-1e77-426c-abd3-5ca20d903380",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "c4fff253-825a-4828-adac-7f789f6975f3",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-18-4Rzn83"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "c63dd227-42e0-4934-8b29-52f4e583d54e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "df133663-cdb1-4ea8-b795-eddf0152e16c",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-17-JF56OW"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "0985f4e9-9263-423a-a499-fdd330c973c1",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "cf234c05-2c74-49e5-b632-5898071d4f86",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-2-WNXFB1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "25b97ad2-f713-4a29-af76-659e736629aa",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "52b87720-e08a-4fd4-8daa-ad70f983ce68",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-14-3JB2S0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "2d81c956-58c3-4336-ae4e-c0b9f2b96113",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "999b3685-f5e1-4008-9cc8-b83121ab679e",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-9-BHrKxX"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "853be248-0703-49a6-ba35-256dfbac47ab",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6f25a056-21bc-4dc0-b19f-ebd556481158",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-7-WNXFB1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "da3b695c-bf67-4648-af49-2bdfee197c14",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "9d284480-aa0c-4629-ad39-a99aa008322b",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-8-jLR7H1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "8d045085-7bad-401a-9a04-4feba3f1073e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "a34ac8a9-1314-42b5-abf7-1fde8260e136",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-12-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "a9b70c0d-d32d-41e7-8356-2be543095478",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "84c979ef-40a9-42d6-844c-a472d4d6a2ba",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-10-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "dbff1b29-c7fb-4fe4-b5ed-24e8794b77fe",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6d9c4644-a87b-46fa-b76f-2cc62f8f6f64",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-15-SAZN9Q"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "0451b1de-e314-437f-a18d-827565e02bc9",
+ "eventName": "ListSecrets",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "818f243c-bb6b-43b1-9701-5180eecc90d2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ],
+ "maxResults": 100
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "99207de2-f8ea-4160-bbe8-22cb14da3a26",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "3f6c8311-bc51-43cf-88b8-5e51f424c1fd",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-4-Rma50d"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "d92519e6-b907-4d3a-abb4-d63c9feaee52",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "b1c6113d-e471-456d-9841-c094e4b47618",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-19-fXrpF0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "e20f1d5b-f2fa-470f-8d33-8aa43ddb6a23",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6604143b-2af2-49d6-90bf-1520228a658a",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-1-fXrpF0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "bd52f504-dd75-46cb-a14e-e447612ea736",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "ad14aa03-62ac-4e31-afbb-5bdd640e051e",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-0-28bajb"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "2e8dca5a-4e30-4feb-91bd-8a09cd1067a5",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "12e83f12-234a-4ed6-a8a2-49b68a54abde",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-16-JcCztd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "304c3bc6-5daa-4405-bbee-e6c65d276c20",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "45167e35-4642-41ae-bb82-0c431ce5dd24",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-13-MNjL4W"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "43ebe9e4-8a82-4bd2-b5bc-bf9585c53bca",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "a3376683-89a2-4a39-b490-adeed0bd02c1",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-6-JcCztd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "a05794ec-3c4c-43f6-b302-cce3f6abf05e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "de58de72-13f4-4f0e-8b23-2f25717ca82b",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-5-fyShdO"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "c9efcd4d-a04b-4abe-8fb4-2d954bcfda77",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "c686956f-fd49-433d-bdc7-c2fe91012036",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-3-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "879e946f-b912-44e3-9d82-a84ad0b06668",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "7ab119ac-f938-4bcc-86e8-9917493ace97",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-11-OyGWSO"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
index 28a982334..1b6f26284 100755
--- a/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
+++ b/docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md
@@ -48,3 +48,587 @@ The following may be use to tune the detection, or validate findings:
- Attempts to call ssm:GetParameter(s) resulting in access denied errors
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ssm:DescribeParameters`
+
+- `ssm:GetParameters`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 40 74 161 248 282 369 456 490 537"
+
+ [
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "3c83144c-614c-4979-ad06-b29d4db97c45",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "13846448-4620-4f7a-af9f-f3e8bb7331e4",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAWTrG1XzfC+I+cBZdv2e1Y6JxbMPL7ueqKuvIWVzlNmJAAAAAGarqUEtel9rb1/hWoLuU2fulBaFOAdkVl/mZEj6gahZa13rY/NLTIYY7M5dJzOP+lpBWs4Xs9bGXKBNkSuXRdpmHac6HKafIoo/QaeZdw3phYjDbq+RQR7saxp5c/bOWIMtNBYD/A/sd4cnb/986qFM4978kxcqKsA1KSpCzNL187ypwamchw+ENE8Jk6ZLCTv3edGWlUGFZRVIH1Owq+e597P7xLkwkIQHvn8uNFeW7tW6/SNukEbMkSiyJ/0XMXTytqj4Buns0LSigHLelswkOBTE8NZ3aQM1EFjlTl8Lq6LS5Lsv813z4yv1Qo1Wn8iAUhJ72IsTLpYsWnQNAl7smhlKga0N06ueI7CQErvWfHLNR+BsA5U6XJ3KReNmwRHc47BfR7Xo4ibktKGlGCabtUe9X09W7W2X6NtJv/Q3s4ArEczKQk0e3qEx49nZYLmHQs8BJn7QWgATgAAqUWB1bBEKq2NKNFdHNc2P+N4sypbANg8dVi/+fCRZ6JgDom5r/LXSB+lxThU6i4yiCb1EB6kzPXKME2FqeRm2oH+n4KT2qDX9WW5qxNIvSYbHKcPbtxGbZHBZiVdgjQdDxSkc8qCAPQ5cedA18AJ6gQy6sNl/zgs1ILAUErFz6QaWhozFU0FZiBCK6aiNA5czIPIlDld3+DrTKmuf46PmUg/iJym2zQ=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "a16d52e1-5e70-44da-b1bd-9016cd1b1cb0",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "a94ac3e5-6956-4bd4-ae7a-6c4517865b56",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAfqeTJBa9KzNy85Z/I9fugPDwcPX+6UgaeHcuXfK5NcfAAAAAGarqUAd2tcUDuJEuPOIEBFqxxAR2+Ls88vLJSSWVsgnhZkVpRH+/ddn7uN8ec0Gr584BOjtFxs2RNVM/BPT/Ka52SNZS8C4jsMXbFQyAIJCEVCy8oL+v+i5Sxfvn/fKNmLSNj8oci/vsGBMkPwPd1/3juDlgjoqjsMUTHJv+HVDfMuVm9bRqXO+FyUFppOpaqsZOfrKPumVN5p+Pa2QcTVQlegs72EzvnCarJYmoI63g5PmxWE9jhgs24rSTdm7oX6Ai4hYjGmhtZoIrFU/JGumeM7X0rivOEMRVAX//LKs+78Zyt2sPFMHFfEu7tqarKcMQDEP164enW/bwuOT+X0cn6ps1eyaQJyFQoMACCMRYDlZ0kn5c9LnQ5HqmimQnRIes6y+7CXHIhbV0ZZBsIdqXiGcPy4X7+s2VPJMq+2CTdPsmkQs0JS/p+y6PoN+k92S/HTGZpUqOBd59dT+mBmpLvCeBYoskxKZPuc/j84po9DZGsVNPRKHzqhsH5p9m9oSc+ZnEAF571cZmXM56I0BtSScsWP14HtZEEAwwV3batz4uKXbw7cHPRgBbyNVg3y6X0tjrgyk2/MD9BNlOTgrRHIJ1CAV9OQNY0WK+Y4KhXLkqebum6qTY+ijqrpwoHgsc9yXjxMxXFsZoutMiBYUWv7z22w32l3I9xXExJrU10oy8A=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "a4663305-e887-42ac-94e6-d04685e59899",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "be330b1c-725a-49bc-bac2-8d0d114c7e73",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-1",
+ "/credentials/stratus-red-team/credentials-15",
+ "/credentials/stratus-red-team/credentials-20",
+ "/credentials/stratus-red-team/credentials-25",
+ "/credentials/stratus-red-team/credentials-32",
+ "/credentials/stratus-red-team/credentials-34",
+ "/credentials/stratus-red-team/credentials-35",
+ "/credentials/stratus-red-team/credentials-36",
+ "/credentials/stratus-red-team/credentials-39",
+ "/credentials/stratus-red-team/credentials-6"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-1",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-15",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-20",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-25",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-32",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-34",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-35",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-36",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-39",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-6",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "f7fd8826-9ac0-46a5-b7d5-55c269f59541",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "4bd8d56f-70f4-4b29-8702-b517ee503852",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-11",
+ "/credentials/stratus-red-team/credentials-17",
+ "/credentials/stratus-red-team/credentials-18",
+ "/credentials/stratus-red-team/credentials-22",
+ "/credentials/stratus-red-team/credentials-26",
+ "/credentials/stratus-red-team/credentials-3",
+ "/credentials/stratus-red-team/credentials-31",
+ "/credentials/stratus-red-team/credentials-37",
+ "/credentials/stratus-red-team/credentials-38",
+ "/credentials/stratus-red-team/credentials-7"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-11",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-17",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-18",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-22",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-26",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-3",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-31",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-37",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-38",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-7",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "674e3606-412b-4468-8d97-df54a290c564",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "76e5cae2-768a-4fce-a2d2-b162e27c8293",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAYl+RRW68eJ0xW6biiQkM0UFbgLzAw680L15/s+wHzuWAAAAAGarqT8yLEDnasB3CYBlA/iBSdCHG6jmIVUUgyWN6FIuTR9LfGXxx5xnVpiuEeGOELVuVJR35ZqhwXSVIiS57kfs3KUyffu+H0Iy3PYS9EztV7mH58Q3pE5jcU13IozWkd03XYMkAl2hgz5xX2g3SW8BGD2QeBUYmtHspZrSSpDloZoeJ+DCcQPwHRc9NjbnOnscO8TFqWvos2OmRpMtyA5BY1UAtBwkd9A6C4k2+97cBtu71URXDkT4wP4DeSPM/ZgSnZudGylYxUP7cZPwcK/uxr6cw/ihqQ7B30xIdIt9a1k81WBsCeV5KdBTXQHyUEQxMQd4uEZD1nEd30nsg+JtHF5ckuYS19zYoNCKydCr2aFg7/dNCdrZy0hvmJ+bw/QESYs8ZUMj4i7ilDoVo/I+RXQogojGBVnVES0wxCidKLyDQBDxAYur9eL4fwbstwdeFJJTP1vr822DvXDs0Q5l0P590bEanMD5ZdC/+kVkOO2LdAHfRXe8Osb6tua7PsvLpm9DYs7jjJ7gZciC18XxygX5d77FpIw4LtiDvFKrtzIjhmy6ZOKfxaDjYUlpJ5trxawf5FX0jQuLSYw0HMsZEv9tU0iVVvCGcJPPuX0V2jR8vCbUUJe1LFnROuBDkcpvfsSIcD+jV3caD14QlsFP0oT5pdi8iE4lQQs42UBpfDxMHA=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "7fbcfbae-35c6-4c93-88bf-741fe4c4ada3",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "879a4957-60a5-413d-be00-de67325a9f33",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-10",
+ "/credentials/stratus-red-team/credentials-13",
+ "/credentials/stratus-red-team/credentials-14",
+ "/credentials/stratus-red-team/credentials-2",
+ "/credentials/stratus-red-team/credentials-23",
+ "/credentials/stratus-red-team/credentials-27",
+ "/credentials/stratus-red-team/credentials-29",
+ "/credentials/stratus-red-team/credentials-33",
+ "/credentials/stratus-red-team/credentials-4",
+ "/credentials/stratus-red-team/credentials-41"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-10",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-13",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-14",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-2",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-23",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-27",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-29",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-33",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-4",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-41",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "d487c732-d152-48b1-9897-90b3a037040d",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "b93b1643-c5ab-4c02-90d3-4bfa619ca186",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-0",
+ "/credentials/stratus-red-team/credentials-16",
+ "/credentials/stratus-red-team/credentials-19",
+ "/credentials/stratus-red-team/credentials-21",
+ "/credentials/stratus-red-team/credentials-24",
+ "/credentials/stratus-red-team/credentials-28",
+ "/credentials/stratus-red-team/credentials-30",
+ "/credentials/stratus-red-team/credentials-5",
+ "/credentials/stratus-red-team/credentials-8",
+ "/credentials/stratus-red-team/credentials-9"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-0",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-16",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-19",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-21",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-24",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-28",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-30",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-5",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-8",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-9",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "f1283a09-788f-4b20-8b4f-0364dce2968a",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "48e17307-1cde-4161-8e06-322fa6e2aef0",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAaBteYGa8oU2QyrYeGJUO62kbtV8jAxUkBelmma5CqZTAAAAAGarqUCgxn/Ts/JpI10tWTxO0Tx6RGC9jR11wb7NoHX+2QDw8Ae6WOTrT/drS4ppinCT5SowtU1Tislk2nW5dyonFkinraADtk6zT6QQoDzl07aHweO32RmyFBre/v7j5Dx4RFEgqNARuE5AjxUT7+8V1CEvdisL+PlTYWA25MtdB4/sclYzUPL3Hdr6wTrmTsvvOZMCkHsV6Ug4sSh00zcNOI16NuXkSWC4yTPvJYvaxZiyp9KxkHsp38YDbY/UiKo2ijIouBErXOdGhMRn8FsK9iu2L2KAPXRLpdfihaWSujZBMEMuPgk+m/FmwkoYMEFpp/nRyOEZQjRBKCsRNIb4LJG5NXUR7vQXoa4fkXyctEwl4osDP5HN/4rH8A5DxRC25CKGMKr24mc7KYVbNvYOiCxSFD4LowdsesAKIzpq66ta7prMnAXJGTH+NauLkTXeXDhpuxtGtQuqGGjN3E2uZ+8xQSJ7/jzZMbO3UGMwxvdedgWjf53SQ8qgmXEzjs1aXxKuzefv+Of44HG3deLlSlLWU1G2Age9WJRjG90QYdxD+xJjhiCaGH83gypzZWwMuRFg6rmYAPn5Q+pan1HJYU9BFxZKYC9ZPP+4bOab7RjTn7Kt1tEkFiVCXR2HjD2P6pP7oPd/tORQYwpd4Boi8+VS2QH1oxEOhROHeVkPvpRGnw=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "fb5e100b-273f-4cef-98e4-efc3a52a15e9",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "760b9a37-2498-4d32-b041-f153827bcc3e",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-12",
+ "/credentials/stratus-red-team/credentials-40"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-12",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-40",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "e77574ca-5c4f-4d99-9f3d-67cbfd04aa99",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "7f54e3af-2dc7-4392-8d7c-9a7f018dd1a2",
+ "requestParameters": {
+ "maxResults": 10
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
index 39ad05a60..545d9b749 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md
@@ -41,3 +41,54 @@ Identify when a CloudTrail trail is deleted, through CloudTrail's DeleteTr
GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLoggingDisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled).
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `cloudtrail:DeleteTrail`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "megov-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "ee73c230-44bc-4492-8542-cfb189eae287",
+ "eventName": "DeleteTrail",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T12:46:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "847129010505",
+ "requestID": "206c2187-a29f-45bf-86a2-a87d99ff7186",
+ "requestParameters": {
+ "name": "stratus-red-team-cloudtraild-trail-kvrwohmiai"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "08.1.250.216",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.megov-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a007fa03-86e2-4130-be03-ee7b7b10edcc",
+ "userIdentity": {
+ "accessKeyId": "AKIAFBJ48BV9CGRBRKGM",
+ "accountId": "847129010505",
+ "arn": "arn:aws:iam::847129010505:user/christophe",
+ "principalId": "AIDALE4EP1EPEPX3SDR8",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md
index f53ea0dbb..8c8ca5b4e 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md
@@ -41,3 +41,90 @@ stratus detonate aws.defense-evasion.cloudtrail-event-selectors
Identify when event selectors of a CloudTrail trail are updated, through CloudTrail's PutEventSelectors event.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `cloudtrail:PutEventSelectors`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "cn-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "c2a89408-340a-42f0-8ace-75d9f5769393",
+ "eventName": "PutEventSelectors",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T12:50:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "958312252124",
+ "requestID": "5176273c-0497-47e9-8f4c-840b62e7fc9a",
+ "requestParameters": {
+ "eventSelectors": [
+ {
+ "dataResources": [
+ {
+ "type": "AWS::S3::Object",
+ "values": []
+ },
+ {
+ "type": "AWS::Lambda::Function",
+ "values": []
+ }
+ ],
+ "excludeManagementEventSources": [],
+ "includeManagementEvents": false,
+ "readWriteType": "ReadOnly"
+ }
+ ],
+ "trailName": "stratus-red-team-ctes-trail-khlvciwdor"
+ },
+ "responseElements": {
+ "eventSelectors": [
+ {
+ "dataResources": [
+ {
+ "type": "AWS::S3::Object",
+ "values": []
+ },
+ {
+ "type": "AWS::Lambda::Function",
+ "values": []
+ }
+ ],
+ "excludeManagementEventSources": [],
+ "includeManagementEvents": false,
+ "readWriteType": "ReadOnly"
+ }
+ ],
+ "trailARN": "arn:aws:cloudtrail:cn-northsouth-2r:958312252124:trail/stratus-red-team-ctes-trail-khlvciwdor"
+ },
+ "sourceIPAddress": "221.254.191.250",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.cn-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_ce507fbd-078a-4e4c-975d-d80cb80df469",
+ "userIdentity": {
+ "accessKeyId": "AKIA2I0BSXU5LNRWIN0K",
+ "accountId": "958312252124",
+ "arn": "arn:aws:iam::958312252124:user/christophe",
+ "principalId": "AIDA3JXGLTFY4HTLVVO7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
index 0c2dca84f..3c1e7a4c8 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md
@@ -41,3 +41,54 @@ Identify when a CloudTrail trail is disabled, through CloudTrail's StopLog
GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLoggingDisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled).
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `cloudtrail:StopLogging`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "apiso-centralnorth-2r",
+ "eventCategory": "Management",
+ "eventID": "10163ed2-2253-469d-a5ee-cbc6651f8934",
+ "eventName": "StopLogging",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T13:06:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "143434273843",
+ "requestID": "14c891b6-11b5-4787-ae97-64a974977078",
+ "requestParameters": {
+ "name": "stratus-red-team-ct-stop-trail-buykxbqejv"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "86.245.153.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.apiso-centralnorth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c97089f1-1ae3-4ecc-b006-f5e8fd0f2571",
+ "userIdentity": {
+ "accessKeyId": "AKIAGGWFBBHBE7D3M9WI",
+ "accountId": "143434273843",
+ "arn": "arn:aws:iam::143434273843:user/christophe",
+ "principalId": "AIDAOC1SYDVN0AF0FMMR",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
index e19d7a36e..d6809cf91 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md
@@ -38,3 +38,68 @@ stratus detonate aws.defense-evasion.dns-delete-logs
Identify when a DNS logging configuration is deleted, through CloudTrail's DeleteResolverQueryLogConfig event.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `route53resolver:DeleteResolverQueryLogConfig`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "sa-central-3r",
+ "eventCategory": "Management",
+ "eventID": "ba4609ca-b420-4cb6-bdff-307729b3b7db",
+ "eventName": "DeleteResolverQueryLogConfig",
+ "eventSource": "route53resolver.amazonaws.com",
+ "eventTime": "2024-07-31T14:23:46Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "206821776919",
+ "requestID": "6dbefe3c-b575-499a-a94d-a3bda0e4009a",
+ "requestParameters": {
+ "originSequenceNumber": 0,
+ "resolverQueryLogConfigId": "rqlc-4473f20ca554c07"
+ },
+ "responseElements": {
+ "resolverQueryLogConfig": {
+ "arn": "arn:aws:route53resolver:sa-central-3r:206821776919:resolver-query-log-config/rqlc-4473f20ca554c07",
+ "associationCount": 0,
+ "creationTime": "2024-07-31T14:23:44.841442289Z",
+ "creatorRequestId": "tf-r53-resolver-query-log-config-20240731142344425800000001",
+ "destinationArn": "arn:aws:s3:::stratus-red-team-dns-delete-bucket-bxxclslsdp",
+ "id": "rqlc-4473f20ca554c07",
+ "name": "stratus-red-team-dns-delete-config-bxxclslsdp",
+ "ownerId": "206821776919",
+ "shareStatus": "NOT_SHARED",
+ "status": "DELETING"
+ }
+ },
+ "sourceIPAddress": "251.234.045.249",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "route53resolver.sa-central-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_bdd216cd-7fb9-4b18-971a-cb585947fd95",
+ "userIdentity": {
+ "accessKeyId": "AKIADT99GZBZR7NVDT0D",
+ "accountId": "206821776919",
+ "arn": "arn:aws:iam::206821776919:user/christophe",
+ "principalId": "AIDAKUK081EB3L71EAZV",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
index 9c3245d3a..52c937d5e 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md
@@ -43,3 +43,172 @@ Any attempts from a child account to leave its AWS Organization should be consid
Use the CloudTrail event LeaveOrganization.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `organizations:LeaveOrganization`
+
+- `sts:AssumeRole`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 60 103"
+
+ [
+ {
+ "awsRegion": "euiso-south-3r",
+ "eventCategory": "Management",
+ "eventID": "099bfd30-232c-4dff-9998-3821921063ca",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:30:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "307578594326",
+ "requestID": "4ddeba69-b9da-48b8-833a-c4d75f10111e",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "roleSessionName": "aws-go-sdk-1722587398902687000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "accountId": "307578594326",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "assumedRoleId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA36EV31F1RB3OA8IG",
+ "expiration": "Aug 2, 2024, 8:45:00 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDpLWjFwlZiDhOSv0Wy5mFb/hiIvKvEuUFZxT+drWNuGQIhAN4f3+HUyrPT31KHNwCaurNZJk5wXAWdp3sNeX03lBnkKrQCCIr//////////wEQARoMNzUxMzUzMDQxMzEwIgw0GyjMjlRuPkefn0kqiALzs49PG+DYSQ2tdUjlPv3YOOCAHkwaO7GpRcy9Yjo7R5RHGBw7NQSJmTGSahF/InmScEUvU8BV+ZuCsQJew5QC7yNqD4FNV5gCdj/0r0w/rh+GITYgoUvv47Xz4cGIhKfk0lsQiYptWeWq2htiubjbemAz2YXxoZUCHkGQUm1taei/jRfdMANUc63J20JxrhURAh2p3A/Aw9syW/eGT1AtV5Va4BpKkA/ik5mya7eEuyMxuXgldHBIXV04+7OcnJbkqJE+RMrP29VY5Z01ajs3NXTEFKpawctP8LXUIkfQDA35gSloJkeWlY4NUuN9rigCMjwRg1WpMWeQy/LwSm/BUm8mSh+dPYwwiLKytQY6nAFRnnDovTfsWAjH7oSq4aJzURd0sd5LeU0vbOMPSVXao0aCCZsF3kYLiZoy1vpfukI/z+FmduLMW1RpKR2S0iC0LUUrRekErl46GBRqnuc6T05CFZx9sFr0rUnTQlCJQFznQP2WLiQWs1uBL6vxrOi8bTuq4kTgOFJfGRIar0CXOOO19fPf5TDZ1HKRFo55VcamguEk4L4DCAJLivM="
+ }
+ },
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "AKIADVISM0T50G52IF0D",
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:user/christophe",
+ "principalId": "AIDA7YYMW5FLWE3HGTNZ",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "euiso-south-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000 is not authorized to perform: organizations:LeaveOrganization on resource: * because no identity-based policy allows the organizations:LeaveOrganization action",
+ "eventCategory": "Management",
+ "eventID": "16903cbd-fdff-4818-82f2-d66ad09aaf57",
+ "eventName": "LeaveOrganization",
+ "eventSource": "organizations.amazonaws.com",
+ "eventTime": "2024-08-02T08:30:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "307578594326",
+ "requestID": "47bd7f8f-1cbf-49df-8503-7d60917e721a",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "organizations.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "ASIA36EV31F1RB3OA8IG",
+ "accountId": "307578594326",
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "principalId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:30:00Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "principalId": "AROAHKPEEQ9BHUOX4D93T",
+ "type": "Role",
+ "userName": "stratus-red-team-leave-org-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "euiso-south-3r",
+ "eventCategory": "Management",
+ "eventID": "e3441619-0bf6-4818-bf18-391fb65ba98e",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:29:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "307578594326",
+ "requestID": "0af9d3b8-6911-407f-a3e7-b54c4e36e41c",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "roleSessionName": "aws-go-sdk-1722587398902687000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "accountId": "307578594326",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "assumedRoleId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIAMOWPWQJ1QHWCWJXJ",
+ "expiration": "Aug 2, 2024, 8:44:59 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMSJHMEUCIEn2jTjXoiKEo1nDM8a/bLpChCnNR5DiuhZ/X7Nb+LPgAiEAnbcwRa2KudpyvlCk/Rp1BejOkEXlpQzJoLaMyfhQpq0qtAIIiv//////////ARABGgw3NTEzNTMwNDEzMTAiDER+6/kn5hAd98DsoCqIAmEmhie9s2iLhj9Nf3lGI2Ezprwy/Zk/HQRQPKuxJu6+0ZyRwAlgZeXcOTfjo3xTdiVRTNiu9SUOAFNsMoiIvVFOofY0XojtNMVKA1PVNjcDqpidgdJZGeFMnGXSEb5ea4ZLUCY6sOm4SgsL2vuPOz5i+Bz40ajwu5bAfNnrXFnPHqwLQnf0PSCZQmbESeo0KjQ7TQ0Vw3mjWP2aW0EJFw789hyQthYLkQPoZrqw9n3FCnX7IidusIVIAjOVh4Da3aw8nWhiwOEizs9UX0ZIq+wmeWx6B4MuzMCp9BNNRGqxhO4Mje2K+Z3qd1+6RC/AdydJwHuoNi0oAY0t1yFb4DyzQyD9Gi3qXzCHsrK1BjqdAU23Sc9g9h/uJPJIB81GJ2hEqAToB/tYMJSINsK9vbSLa3ugqzTo9AD3Y95d3jVv7VB1bKIX2FMhcTqKpKZKtmriqAZJ3UNgNA9ZMf31H35M87SXbVN0z2a9H8XZO4iQrdNQzKBR8rlGOb6i+UefrltFQLdRbwKbfiWsiZwkEyz5RK7794ELHV+3328jn+GUiJYTv731tRSkrc7wfvE="
+ }
+ },
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "AKIADVISM0T50G52IF0D",
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:user/christophe",
+ "principalId": "AIDA7YYMW5FLWE3HGTNZ",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
index aa9a44cd8..adb4ee334 100755
--- a/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
+++ b/docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md
@@ -42,3 +42,65 @@ To reduce the risk of false positives related to VPC deletion in development env
only when DeleteFlowLogs is not closely followed by DeleteVpc.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:DeleteFlowLogs`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "megov-south-1r",
+ "eventCategory": "Management",
+ "eventID": "ded2f5af-f3a5-46d2-a170-a23206a32c36",
+ "eventName": "DeleteFlowLogs",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T15:07:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "498376118699",
+ "requestID": "96d51d7f-c18d-45b9-8315-9aa0fde21e88",
+ "requestParameters": {
+ "DeleteFlowLogsRequest": {
+ "FlowLogId": {
+ "content": "fl-0e17aa62a21d4bbfe",
+ "tag": 1
+ }
+ }
+ },
+ "responseElements": {
+ "DeleteFlowLogsResponse": {
+ "requestId": "96d51d7f-c18d-45b9-8315-9aa0fde21e88",
+ "unsuccessful": "",
+ "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/"
+ }
+ },
+ "sourceIPAddress": "206.90.1.223",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.megov-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5d25952b-37cb-46cc-a135-3407cbbca7bf",
+ "userIdentity": {
+ "accessKeyId": "AKIA5Q8Z0GHOBYSEN9D6",
+ "accountId": "498376118699",
+ "arn": "arn:aws:iam::498376118699:user/christophe",
+ "principalId": "AIDACKW2I5F25HSI3O4J",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md b/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md
index f35d09590..9b2ef19ea 100755
--- a/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md
+++ b/docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md
@@ -50,3 +50,913 @@ See:
* [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:DescribeInstanceAttribute`
+
+- `sts:AssumeRole`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="8 56 104 152 200 248 294 346 400 433 466 514 562 610 658 706 754 802 850"
+
+ [
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:751353041310:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: K2-zhDkMqUq-g9q-R4ks6tltFzD63SUSxwKCTu5riJZoSD2q1xthgx-uUJ0ES-JqWPLhTUEHsklWqMDa1NqCV9zjmM_HU5bzubi61HQEvxzFcppL-MtX639POzt6cD5-pTLVsUW6YAT9JzLX4c4Afn3rPb-F9HrcqUBa8P9MXv5BtTbvfHYYeLuFbf8LOS3b2v6c_Mytt7ag-xgRM54brHGy3Esp0JNbejXPCvlzvkmtppUxCs-Sq561B4o7P89gymFqqIY10tNagPMAiM7JVhidM_NzBCkF1Q3XvOw7BTrBnXT5v-g7oadbGoZ1vVe_QsoZwDTQqWAF5zniUgu89LFxiUuEZhpeirUGnTZbkIubQ4J6OCDsCmO1lDz521qUfqpthJ9M5MzznWoYyXb-Ht38YTD81mWbq1dak2t4st3uQUfNZnhbSZkA7a7D5JlgAKkoG6DXplVL-ll78WgVcAKcwSJZ29wp1SE3U6zJ09Sz6ZEuSbeIbm2nyyYYCcTQoSNBU6qK08r_L_2qSiai_DYSh_HLspQtX4OwyPdtbJjAXrlPydgBY2lmniJvZ0nKv-zTzzk",
+ "eventCategory": "Management",
+ "eventID": "4839af5e-7b6a-4353-a5ef-41febc9a9fa8",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "d5c299e1-afd0-464f-92d7-8219b597c93b",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-95b86090"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: _AfGAKvvBmg1J3PRHkFjzWBCMkRgqZE3AD1OiUgYd6dVN4yRyc0XzZpxeYj1vesLCnaLrBmg3nMtcSfn6ymrP4eQibOdrpNv7x4GdFBzcg6H1jchddomWF3ZbTJLKGrzD_9ygAKiyk-mB_W1pK7UfIbjZ0CLgrxJW2fgNBZp1KzZDvT7gqpI9v4h3oip_Cs_oE_Cb__1O7IthlNNfbyOBPe_E9J8bpqWMD7_IRdcnNkbprGQQ-U794zyAVVcuAm29HZBUE4MFgslthGmi5_EZtYnAz6qbT6kc9gl0ilBJiVeJ_iru-ySGXONW_OauI9u_TLGk2TRbDwuAyl5t6UXVZgmVcRx6-OOfz1rn2FCbeW1u5pbWnGCxJgmFUDOOQZOR3dJX-oRCbfgvI-kKnDYmHPF2xTks_v56oFzhrONpxzDMUosZiumPm9lP5bPCXQSkuLxE4wFFA8WGTw2KSGJC-Imzy1ia6JXXb2g3Yzsk7uyy8Xs3ylGgclmmGG8ktNHsOctUcYY5lFKDlZXeo6Y-LWYP8s2o42sOvoSoHvYyXIY_oFveAN0TfUemD3JMYM5CDQwX-E",
+ "eventCategory": "Management",
+ "eventID": "5a44c114-2692-4701-bc09-faeb3f49b56d",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "712cd928-14d7-4783-ba9b-bfff98219325",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-3753597f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: CPSSB4ODNNOXUXPaXrznW3jKaCViA5XJMIUfCdSr164Zl3rE4DaIvafRfxiNtM46GP9iOKo5UQuOJ8nl6LXDOBAipo-vFaNrFkI7kAh_9jW19q9-7L5rpv5xSSIcB8jrfrgwB966zc8KtjgTgXrE3oxkbTg60LCkPNlkWMjDaznlKQQHLJDNXu7E83sS3FIfZoBXiLuehqa-AYNeFIPMQIYcBpLGmGvPni-9EVG80mMZ4HdNtQa2aMKOUBfwXZisVmbyO2qGwPjfjVSgAJGX8wUVt4Uz8St_4O8hdL7RwQyJ-BrzTHQbt3ZzYXiet-nrKYwA8l5oIGsP7Hy9tSmnEUANWpZmboAkNc6qbxl1qfnfDxz-m80momRyAGFt7gBULvvnkYRiLJm-SQdm7dQFTbjpAUbjGA0aICT5k4KOLwQqR1iTm18jmA4NVWnAj0deEwdd46DkoI_-plbo6kpeSUD7NO1T2d_eLFOVRkha7G-fRiCaFDy2qRlBFaCd2RzEBce3UY5FG_QTn4jyWBZS0a6e2lwLpZcSuJ7wtOVGNRl8jV74VfybC60jV-XD82vjULLfdE7y",
+ "eventCategory": "Management",
+ "eventID": "0a4a4ee3-b1a7-4194-ab60-7465b4d5216e",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "59750908-8c42-4c10-b565-3427a5c9e8a2",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-751e5b81"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: CjrZQ3pjS8x41gRyVn1El8FK6p765IxIXyIqQRnIB_SfDAGSUpbxge9vshA3ll1RroDdvQSdsdV__Xg2WwzBoNuv7u-jnHv1H7K30GWcpYF459-XWgJX4dd7UpPYSbTER8yyz5EbkruXWoraLEsZEumgrAOhXqvBx9LdOgNlXcVn3KpofAndVdHt2qdkuQWBBtOMUTWfwg5S7MPZXrH3vcLaFiZ07n5FYJvrkInHNs1loQmLLWaTVnxOCqZjrdyhInF_ziEIFJnK4JAwkgeryGhNJN7KybjAbV80CVX6DazJ95aPze_8cqSBp2aPnBnaMUe4ftxFxOhglU6zXysDVeGSvwuKhFVJ5xxsZCAz4oUu9KWwdZx1_ufKxNkYWFVCv5cMbOyUeakUjFDalwpZYtCMW-Yi4wM6lR7uGA4uD_e2MnpAgXXnpQGnVz9-LQh_x2ceMDhkYjNq8omKnsUKDwYzIXrpzlz28T7iIlDg1CPoIKT1iQnCt6KP7RhciyEcuIHVCNtdB146CSNzdBVYUuTIfHp7pWsYUaFQXzeZpoqeNXBynb_LGlYexwGaq9ozpr5XgaU",
+ "eventCategory": "Management",
+ "eventID": "962d6fc2-b79e-4d8a-a7ab-36d72048c12e",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "8fa1c8fd-196a-4fbd-bab1-75f7c3e81de2",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-df55c340"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: ykssQBy7g1b7unmht52qJO9GqEuM9SZROkjhaP7a_XsSBjG5Sj0icyonTNZIsy7CQRd_hLUQNCGqq3oF2OfoVKGcZLCBe68vuBxZntrptcrIhXwHSuMadTIFiNo30KKEarrAdzXZGrjX9uVnR4CwRkYCqW-SjaKcGzXNen6kBffzqgwxqarePx8N-ogghgLxQ6BTIvOUmVV65LGkHYpfusv6nWqPrEqjg3DCHFD_hhs28eDHzWhwoly3mNff07K03YrFo9_l0gRPb1BTO7RBj2i__rbMeIFeZhnCy-8durAXqvCJ7MI4qEBh_hV6kpaJWV498NsGquTz6TOcY40En74o0novX2014oalF8bBqB8ZMGNGngBP_Dfomt_9g7hQGE6xH9eB9c_96CsB4BVw_hhMtzsKbLej201KxqoVh92RqDhFB3xldQh-TZ-IqxAHdRZKcdaLSFUCqUihk-eguiHfDWPT7QsmDZajE2A0-JiaXzGbadVofCb6dDQ8_KzbbMh2QKXltTW6XpbhKhaEaaTjQ_LTHdLLkirn2ft5vDCR4_uQWbqEV1FJI-Vtup2WB6GGFTM",
+ "eventCategory": "Management",
+ "eventID": "12b3736b-a8c7-4eaf-ae84-fa8dab5b5503",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "e9ac818a-e92c-4782-a26f-feb5555f1fe9",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-36d80d67"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: 3BD0zHY48CigR_ciFcRG14BzmH5vjQrT-QTgTppJiQ3ZWC5ZrnHzJJLNt4ddkfgHxuYlLAVYKkaY115GgvVQDWwjFH-cPsWOJc2G_a4GTJ8Znbv1aOkjTIKXYzxbO_KUS2szny9byykTkZ_SC41D-EENTd_WSdnuJGHuPghJOQzfd0D8PHoDLjObbikjQ4vfq1ewNinQXSZLNSoGs3DT0WikHe2uDVAaFHSwycFW8Bdp5y4bPVs-r6GxzoXN2JnEBxNUm7qtukD4J9-ymKfMtQwuLTcbjzb6r1gN5Jis_qDejUThSYK320IsCPJR9iR47yRyoS2Kuti6WhZ4CUjXv1-UhJpymDcM_g5i_NLQfnSy-T9qYXlj5kGSz_N9zF6jh0ZfmDsFyV_Avwov7bw6Jlgv922-ytF655M3skjZ31gf3-FScjt_sCzuKiaLTtHeSaZi4vTsHXtD-Gfl0W_BcZxTJeeJhuCzGyiLAhyXjIulmp4eWwuvBhuwPpkXIEbakpJ-pqx-rQVK9yp3NeqynD7tWeMtGQhiPl4lT1SsC1PBmJylWEimo560OKrRccI2JyXwKRE",
+ "eventCategory": "Management",
+ "eventID": "b6ed03db-7300-48b3-bdf4-b778a5c3e5a4",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "eea398fe-73d9-4393-ba25-ffe91a6858d1",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-2c3565b4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "eventCategory": "Management",
+ "eventID": "cf589cd4-9633-4cc6-9b5c-c74f5a735fa5",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "01d3746c-667c-4cf6-a149-fa51a50c2024",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "roleSessionName": "aws-go-sdk-1722455550269043000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "accountId": "321848314756",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "assumedRoleId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA74KS09ZFFBFV9E6K",
+ "expiration": "Jul 31, 2024, 8:07:33 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEHwaCWV1LXdlc3QtMSJIMEYCIQCmhF6hCfgQLCpXs5BNl3rezFcbOnrGHnQQ2xB6Eq34EAIhAJ746oP8DFnMU4kXsp422uImBq/EJapr8M+mHdV1DiEhKqsCCGUQARoMNzUxMzUzMDQxMzEwIgyczM9FaW3yVZowQgYqiAJOiTvzjvenlc5TP/18RaNfoLXOEaHfdV/MFZYEk1kiPd484q+NXdLe5qUO1aCJul9Mqb8UcGm+3c0E30UgDEhZPuxHiYxJMh3YOl1sDL+lz1KlqzFvgwsnz/iK0hDTZJRsiVzlxC0+vZDO4zW/GeT00JaqvbL/ES9DUMpoeTYJP4IAC5kmKvaSQhOyUz3VrJil/ieY2yZJ8Rwys6ogwpyVW3qtjFn89U45gRQspXslHzw/agwq419KfqSCVhQo4eBdN8sxuPbtwNI2/2Jgm3dd1ar5bb5oukFGnFGqXGuloeJzKmIjvBEpLfI5S1ZpAZp10fQdTfCj9VSdtGt4to1q5l11NaTgyiowgayqtQY6nAFxeUTuFIMlUZNzZE9Zz+FK0cBpajKVxmCQ5VQZQopSB5eVyTadj52jy5eO0LBwmgBPebBOUU60m8aOaiSRmQQOgld7X0B0xJSWVtb7yGyH686vUQM1xIVAg3aCUTObuzPv0ku4fyksvv5SFXxCxT4N8x46PlYONgq3h4T42KeOii1slPrqf47Kkjic8Mx5ZbuGUEeVkWhQodhpn2g="
+ }
+ },
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "eventCategory": "Management",
+ "eventID": "eebae605-3664-4560-a248-17d33f9ef6ef",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "bf358b35-961d-4c8b-bcfd-82b647eb825c",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "roleSessionName": "aws-go-sdk-1722455550269043000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "accountId": "321848314756",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "assumedRoleId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "expiration": "Jul 31, 2024, 8:07:33 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEHwaCWV1LXdlc3QtMSJGMEQCIGtdAaKvKWRr68HA5EuufjSaCXHXZnVIFXtcysfmdV/qAiArZ3qZEA79pcSrcLFLCIuVD3dPLjHSDUSKnQM8ASuS+SqrAghlEAEaDDc1MTM1MzA0MTMxMCIMSyGMmjPPsflcyznaKogCyZDL1PjL7bbXv3wq5QAeiC+gwSjc7zIaP9DtuEOHE/xodo5IvKBkdc0AdddeBkITU6mSNeg93iEh40BGn2mjECaGWxZXoyqkODfyg5iPU/QWPdIEuXXU9h46o9ZOLxnO8Rc4rOiIAQK0Q4tq4BE9h28QsYmQqA/wby03DDQJUpVLY3kJe7PTx20aBv7nuzExo+a5zTzJnYKhl3tzeNxJSXQRjZkAlrQZmaqf9o3Ob/uY2VBPtCu//9yglgFcFmVGGG3O4VFbJgirnPteLpwNlz2+kWpcxqCFOk1LpPqVXxKggJgkXhGXe+M17hVGuJOCWKnsb24QCT4mTtskg4PiEZ+cojYR5N2yMIGsqrUGOp4BBBrc2If35t6Jl0TKlzbemFVrgT0JCaHP1/soUTSVYTuqjf+AbRdCrr08Onez3Htr20rkPlMJj08Gpo9B7MBc4Xc5RdhgaxBUDlLlYOtmGZfSF7Y9K3ZHT2UnT6sS4IMMQfwzhGIwRMT5TTK4pm6OEqPZ1ULl0rI8nWUIr29oLsKp+0iPpXIm09jp2f7fE1FOZqBP4nrSQjyWl/LpL44="
+ }
+ },
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::321848314756:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "eventCategory": "Management",
+ "eventID": "4cf5dad6-648f-48eb-85a7-6181c5d79424",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "4707e217-520c-4854-833e-179f3607230a",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::321848314756:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "eventCategory": "Management",
+ "eventID": "67fa9341-bd06-4ceb-a8b8-6815522b5a1b",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "13c6f460-608a-487b-82df-9ad531b39a6f",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: LB7cA78q30t1tPsWTMLmstV2qcxGVIDbeIQlzeLa9H7MPbjgPAHNoi51kZZmZ33zYw4qbgTCuvrDtE0vGEZRfg3WOLD6RjgUu-S9h-hnkY4DsAaweKHsmLzpRYc1iZ69Re7Yghrc9uua92glqVFHOCjGSYgk3RuA6BTQMfJxYEc4Y1LVk-NXUEWwPki_ubaTquUUHUudZbS6yRuyUInvSIMlA6t1P3Adv0uKpnPCPjdJ9oeF8x7i3oL0WuSx7QVWW_p4fX5teDwqmm_O6wHslKfrCBaD56so68LXhYb1OoeTFsh5AmPX_jN5y_Xk7b5jdm-LmTNtmslSZ6Kaz30ThcPPsInsmOQYgrPeOCOixVHoKbedfYIb8V-KZsKhsryeFg5ap1Xo64XepKfWPEY2WsLWZpgOAJ6n9mlq6qVzsXb7XOvJ-rtaX4e6nRJczkf5oA3NCnKpUHckI0SW6mv0IeSmE79YKnD22mJ0Jk1mWQmu6Ojs03ijwK4bZAJ7KqgFd9OiGBiQHiYCYqLR6jhjr5Iw9z4r9Zu-Rk3L50nZ8Yodj9prBWQuGPapLAN-2zExiOPr3JI",
+ "eventCategory": "Management",
+ "eventID": "971a0ce7-1f66-4dba-918d-cd2a5b12ebe5",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "1d4bd0bb-0761-4c4e-9cf3-60eb78dc69be",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-eacdbb0b"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: VUo9HEgnkqejRmwZ981TtFTVCu8SFtMJJcOgZYlCFTsJTpYwp7FVaiOvMufhCY1iszVV-5YVWpcFtyZ3ygwVzqbJ4QStjDU_R92FtZMlO5oO-l-XVgaf8Z5JuyUs1ulVWrY25HY3Kt2L08win1DK-vtsE8-b4Ewe2-tDlTBHmKiR8mfUD3BO_fH73yhWkLoDD1s0Pa4hKv3auv5jGd-564yRXr0Rx_IGTFoi2hBTs5VN9-MQOc8VUlw-RMyZu-YT-dRajZ9TdH3VRvyGzLKuhrcu-fwBcXhUaHR99Z5HvPiQjRpvkMb9lth6oMpkMaZenHwm67D8l2xDca6-2GTMLatZbJZO43gibKowBQPku1aX_ji7KwMjK4qec-p0pwexuc7wfaxiej9lqGg3P0Zhf2Zv8wq_5mj0IP9oWc_RwS_MIWxMtYQ_oMfn5qd6w9DkGxikX0H0VvG5sGdwv6QYr9BJHPmJRqy6vb6RK9N9t3ZTdm8NqJGlInmdKYwXEWvyaPofwoj-BhZhfuDYXyMOgDBaA6aOncL3_H3kQsV0YWvAqIZiGQsjb8ivWAnY0MpPYK_69_c",
+ "eventCategory": "Management",
+ "eventID": "0ee61554-ac1d-4c40-abde-2ff51473f180",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "c32c0316-5ddb-441a-bbdb-aaf2a6b9e44f",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-66a17941"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: uOFPYQO23u4TQn2JQmg4tRDYkzz74KyWtOKizw8XEkx3-OWmistPtzU2fOb6WQoI3PW7pMHipebgFskL2-k__VUGSdmyNRkCBGyz4YAIBQ_aFO_WZZ5qC2FPxzQEtb6EB34yQ4Blutwafq-hERt2vxzyyVWU2sg7vZB-ydJSYkpb5vClj5OY0qTANhe58P7DtwcGhfrusetkwZ6Qyk52M3ctvCVHeFg-dPU5fFit7Tn9HmsQ7D9zCB-_vHErBqOl497_y-gXeRCdaO7brcVkZerWLQtbpSKWy9_i0WT1SvwQ4-cGbVvKinApvGtdYT-WlvrV3DWyPhdQzbSQJru8yQKAwmp4vshdSjvQ8T4B5VjdqOuflOsRuciuOrF_o_ZKiQYDOXrrAI-Mkd9LNCvwe-DAS60EUV1wQDFFJEXWg4e2_AX1IB5G0LQwbARXBoYrK4tZe5SY_aNp-vePaCjUDkvM7SXdSiMc2NCxSrRd7QVUdgp8uH2iHelrO_g2c9N5Yk6B5rdqVOIeVziuR575r9U2slnzaS_VDgAiAKekNsqltWp_cw5RPQqUBU6w_H0Le9wevYM",
+ "eventCategory": "Management",
+ "eventID": "3178929b-eb35-4a1b-b479-de1ca5187fb9",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "1b702f59-5907-4faf-9f33-a187407f03c3",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-4cb766e5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: Enl2ZFI8qzZz7FJbafChbyrAXg2YIjHajQvck025ERtfChE6SPPSWQgqVtk3hlhPmmXtygl2topFTLBMetoZpEkbrp12Jmy_tJvy8coKgQvYNRbwgexE1sgGHrFIR8lN-4kQFN8DwhrHJpJEnktXjp3resU01Or6e_LFeuTG64mgJd3586EywcHHGevMRLvK05jO0RMJqsg6b0cmKYpRUv2FxOKJhMCgGsiP4DhL3XGcXpfGKJ7HZnPG75uExMS35jH5ct2jTai8FEXolH0REk3zkQ5-siB6c-ZTim-4kzEf8NlVS5WMz4y224S-uZfzVCJF5V1tlpAAAcVDqXcCPPYnvDFCrAEvSHwVbz_J-4b0PsIwup0JrQjvO-Y_PCAlmEGdKqnjE6ByjPJ8t_kJ-1DbTZoQyBYxk9iy17MtSogtNbvheLUVRiWUfbFu-PGFNRrbsQLMveCKFWyDxohCcSIrt8wFZiHiW3GtSGcZEPGyIkx8J70WeW43xOdi2kqy2Qpy9IqDpI76QhdyOrq1I3w2mno52gIZ8DMcjteDEjpvpAVjBYQ7V61LAeV6sjkBlreXHcw",
+ "eventCategory": "Management",
+ "eventID": "66ffee8d-1866-43f6-b17e-4ffe3ddf8503",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "e58d7e06-a5eb-4a74-b8cd-d6f340b93b8f",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-346d369e"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: vdeCm58kZaHVcu0-M4yWQZUpPdeSvQM-HOZwlDrMda0wvu4tI52g4nlMc0Rr-8BzALqkpYMuU5gfkKjRboEAzaWBoLGR-MNnaDfrQoZRMHXd96e10UDh-IWDRcWvUGoS29l674DRl_WTDfwz5b021AAGHfMZS9NU1CXWZT3XvniJW0Q14EAovh_9HRYT0aQQqTBiF7M3KmaTaY4u1bCufp8Dx5zVbauuOnMDlXVAJhGHbSFCF8-ZzlK0D4kfdFboZSbIquw7xaMxjqD9LTBjl2K1g_2858Z41gZo4Km4lkjTPWXpoJtyYc3Fz3YSglZCutzv0CfWlDNziCj2SRPJeU0Y3Pro30Hczj_Z_knNWTauA_xr19CHjDRpmjab_BFA263eRFGZsZCFQXf1xlZBFSVvFEEBuo7hZ9USZ0hnoK3rq2njhNyDpefpqgIE8oWr82G0n9sqVVYj9TpX45obBsMHR-CXdnG5OsoQlrxl8-EjJYR2ugB6E3PhPFklgGf6Bj6I8P2tpQqqxGMHXcPlnj2tPoze4YzOlzrWhXi5aj7SuDoKgcYRm_R8WSKjUA1yBN7pFfI",
+ "eventCategory": "Management",
+ "eventID": "b307eaf9-2be2-44dd-b942-ce2bc8a3cc57",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "30ac0390-1bf8-41bc-af5b-a470776973f3",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-cee23f5f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: VTgeZY1vPG9JN8RDG5_1wKNkdZA63luKUmEpRzFkvdZUvjd_rcKLffOZqwXDA20cPdJHu1l7vHPCLGfLM8Fb11o5jWDblvEI9qwX8qPQrLXY2_eOGXR8PLPa_uSLkcCKg4f38m_O0kz7Ss9Re9cvEKgSeD6ARS2Z3cN525WfqGuMCutpegkhku4TeuGzROO7rfPShnztzzxqtN0gdb4g7eIlfUIxEPSAhGChhW8eDQCetI3WtssEwXQYkzHd6-9YIHxW8yw8P3enNKq3QgT2oaVMeOzZAFJDn6QukrYhFXu0Tr12gRnBNRWRpP5fFIoSwoMvd2AAhBTSAdpZwIv4_sN-aCGmR7QVs6sywfgXgJTOd6bKFMcM5nFp_-D0ZV-u057MMLcBc_mhrNU3vLIZ5aWoPSHaSkSyk6LlUpPRiuoASfphMxGjbVCeof0r9chjZtEi9bJE0DaRvPqYQTj4Bumpp4EO8PP7xUJ5XPKiDdUwxRF1zy_9pxLFL7hkkmAr-AAEtoGqPAfX9BtVS_HgahYXdC7lNRuHmmYmmgcDbOuU5yaHcrBMcEbr6JJXapgvJZlhXtg",
+ "eventCategory": "Management",
+ "eventID": "205f694d-35d4-4e33-9f38-f5e7a20ffa50",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "add1b208-55c2-4f2d-8b7a-cd9aeb2b177a",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-1780bff0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: nLsOD7QpVpUhY_D5_xjyMrx2F-tbtuHhu4c9a2WnPRM5-j5JMzduGPr7dEt-PwGW39koU0YG9NsH40_CiWm2POy8r3JRQWYpHy9YGMbIsk-lPk7u5BVYvDPhPswVHoxYQcubUkNE9MKzgUHD6--rhHlErfgmG-x3-E_x56A2qqvpJhCVEt5ZPDBpMsGDQBAA6sxgI13hiR9Vj3vXmokTk0pwl6VY_GWRTRGxoTSC0EnzwsbLMlyMrdnKcQOPOizQstA6FqAoKiwk3B1T36AMuZ3DFeFKBCwatonhnDeqVEp1HFs0v1qWqSPQ3CMcxFmVai0VlKB-gh24bJ2eYJSraA3XqkzMMpuXCsaP3gVvY50wV5AtbO6s2mcy2hFikUoH-J7VUkhnAUf5v1fW_M9n1MKJ3-JINpVmeMVWGKHy2hCtuV0nK5mckvWfo1pX1yGR7rC8hz8mdDUdMpaOydDrCIapx-NYuZqd_8SbaeetsrJu-EUK2YwLc4WocKHP3yW7OZlwkhUt4RvSpZqkiYJ-F-HZKLsQ4fs6Yr5qy2RiIepTENiSzuD5wI0iZW21XRS5DoYm",
+ "eventCategory": "Management",
+ "eventID": "330b18f1-2763-4429-acf9-7293a5604ef3",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "9df72845-fbec-4178-9713-adcbccb99499",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-42416187"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: x6ukywL8Prh8nVwqNu_jfGpoVhNz64Z2oWssU-lfo9LLvZgrVpP7_U8FCvEfahACLHt9q3SN5BHNoKIqpT6Nse1a8IDd5T5UFtN5NAbm-8IlIjrfta55z8CdeQuyYW8g4n4fdzLRFY7P-bCnEWRyA96Dj7dgYI0-3JwYfoxyD5LqbNAyZZzXs6HzhE-JC2cNtX7pAnJyY5iqd7yKcM4tQDl-A1paYlQXwmp9jeYbixy09q2yEWVn0GnmDZpc-1YJdX7-G9RWvGb55cgx6G6QwX_V8O3GlbUtJoy5L1yJF9VHSjpNGcUjC1_T6pZoOquGL6HC1P2j4oU_vvThGAuyJtZ5hlwZA313Jwfx-YoFU3kncWiw9IXtxpgc120lSkcUt46AE9Uc47TT8jzAbBJhhIeA1lw8eh89JNMPOrGx5pTVqnmHdC6mZ92mnS5Iae0oAXY-T406pDrEIkdXtv3cbMeuBUNGfvn3O6xteP0i0gZdNPhCPxkTEDZRF-EgQs3TD2TwWIdbcoVDpTvPbf74xNHaDBFtFmcW_TW0XwiisyiaM8Ho5VTvUUQohR-ForP1xTRupKo",
+ "eventCategory": "Management",
+ "eventID": "95da874e-1cbd-47df-bba6-26dd2ed9ad82",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "d94b9d47-13c6-46cf-a8c6-4d7a33d7b85c",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-68604a68"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: cfE6FKZ1sIRhbxBLmjIoehSeEmbpj_8jIPsfCPuACT9E_rFPauBJrhN3AIXtPobElUTbZgN33aeBcq_atGfmGm0miGiE4oW5CWSkQVTPR_f6bJd-5PHBgkv_Evot_3vhSyAyN1nKUAakmm_Ne9bkqWRYabIiS-XBNwhbA49faTNvYUuwjEZKCJbpnCI9ir6J_ijM7bmlE0UAdVKWzn26SSgvgV9C0ex-YJoFslO-85IYC_09Ar0piVJjpmvVR0q04uuHw_W57DWJYjIs8n_PYyaH9fhp794rgvDzdxorm4rFwIlZKaudBGmGg0VYtmQzNLsYFXEpMX42A72nhCdEHoxZoTCpLJFLVVl2l4Fiuieud-NQxn8clqRwIWitTKGxpzKUlrLDzYS0NMJwjSleSiBtS8wJ-4t3iB7Y42OP-XNKN2DquxpmT1yIurR0nykVlvZtCzXuUdH39Z8spGqxCPJgZwd9o0G1X2-IwiP4MNeWQzYM8ZjN4vLOgNZsP85gJnCQxZSk8Vfk6XlS550Zd113KMl05ej2nYOO5sDtQNXFYR0xN4fTaQSi6XHLgtuN1xmqFaU",
+ "eventCategory": "Management",
+ "eventID": "a7ca94eb-492f-41e9-b23d-e4875b795041",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "8e437f72-d5eb-4c0a-b391-dd8d7f59eefb",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-0c140b58"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances.md b/docs/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances.md
index 8f636c76e..680753011 100755
--- a/docs/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances.md
+++ b/docs/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances.md
@@ -41,3 +41,191 @@ field will contain the instance type that was attempted to be launched.
Depending on your account limits you might also see VcpuLimitExceeded error codes.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:RunInstances`
+
+- `sts:AssumeRole`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="8 70 122"
+
+ [
+ {
+ "awsRegion": "ca-south-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:ca-south-3r:751353041310:instance/* because no identity-based policy allows the ec2:RunInstances action. Encoded authorization failure message: T-kSWIRFn32_fxSgyNzoE36avE5lRaRniAjDs-OdhlNgyecEbeTN_dCroUmnEqAbDOrevkgWv8iyUzs0XJxEDlAcgDztlJ-QPNokwAE1JUrWPZcLqpsuM6kK46d5jCUvmzpU_Egq-fML4ed58JHxMdyU4Iz1WGOb6S3W3FB5jghu3JqyDR1B8S8qHryW-e8H1ukHarLt7Ogr4rvYezZ3sf_DNCPDjCGLOSI75x4W0X4Wcl9B9eAuhG-hRbB8KG3e-15CmtpWvw5brndvmrK0sAKwOdcyI47AXNV1DKVLKBNjxwNSQB4knWTX00TASAtGZYroYLyadRTdjZO_CwPGIkcI7wiuAPwSJTrri9xF8zPb5ZJ-Zt4-fQRZoge3sWBFv_wRNOcdGXu8MidJV1ev4CJOpwygM9bO68S_ueU2u_MvKE_zRYrMzTYSMiBKpZGZBDiIZGOGOSzJK8aZ5_F0g5CzhI0IzBxBQh2QFLF0eZe6prRdYEnOZ33EDlaD68PhuyM5xFYzNATqG8UlMtNG7eE1XCMpAmLRAv8ZSnE0PUMrg-Z7RhLyIb3p37VxzKKQHVTdEarNtE22jp38CJ0uRZy5eiNmu-O3JMLeB-AuSYFFoGPtH6h2dH2uV4Fj27vJ4...",
+ "eventCategory": "Management",
+ "eventID": "1a4debbb-12e9-4bde-b8c7-ea29002bb2a7",
+ "eventName": "RunInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "900138736586",
+ "requestID": "b663854b-4ebf-4be3-8de0-9c5471904762",
+ "requestParameters": {
+ "blockDeviceMapping": {},
+ "clientToken": "5dd59182-3917-421c-9b2c-7c92954b66ee",
+ "disableApiStop": false,
+ "disableApiTermination": false,
+ "instanceType": "p2.xlarge",
+ "instancesSet": {
+ "items": [
+ {
+ "imageId": "ami-aCBbfd13bdb1d1E4b",
+ "maxCount": 10,
+ "minCount": 1
+ }
+ ]
+ },
+ "monitoring": {
+ "enabled": false
+ },
+ "subnetId": "subnet-0e540f0c7ffb48ae9"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "ASIA9F6MXE9HSYOXYQOS",
+ "accountId": "900138736586",
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "principalId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-01T11:30:22Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "principalId": "AROA13YEHY3VAS32TD341",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2lui-role-idtzskbvtd"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "ca-south-3r",
+ "eventCategory": "Management",
+ "eventID": "04c882a5-7652-40d1-b44c-83535fc19268",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "900138736586",
+ "requestID": "a8b97cd6-132c-46e7-9305-85f2d79e683d",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "roleSessionName": "aws-go-sdk-1722511821294449000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "accountId": "900138736586",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "assumedRoleId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA9F6MXE9HSYOXYQOS",
+ "expiration": "Aug 1, 2024, 11:45:22 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMSJHMEUCIAIdMlsYBfJVLlnMTTUWOX4q3BfLOExnAgLuv5b76q5RAiEA3rFHZ/bap4mdvcTC7M6IzJfWZCdc4Llq3T4CoB3kjXMqqwIIdRABGgw3NTEzNTMwNDEzMTAiDHSUIyjlokGN2fzZcSqIArg4qYntF5grAv0etPkJsxlQnWjCUv5vMvslbaJ/9UP6X8zGTXz/dMdMJ17JdXdn/uGPrJcOXQ6igyD8Wkir0sEb8+SDAm9G7t5xDwSJS5qVz2PTP9tVmUahaBQR5jafJxPh2n8dOSpRAdR8D6iqcfDfAx1afwF8tdjkwcvZvH/rOo7HOGa0xK7U72SryDHkTo5Sz0I3NpGgbC/XZ/q/zFDSfRj11nR/w5ifdLleh+UZrnuHXMU6w2qILZBkX3ucTTwwN8PX+gsXJRgsaVaErMMlGyGyxovJeNuGx7PmV9lAaFeZM2/ZXwQanV6iOmYhQHG3WLuRIz9WvpNYMKCRI2Kn2FuBNJHx/zDO4621BjqdAdOjSmz/25ePFDD5bJYmd21ZQRd4gFjMVSKor2E+SSl6sQ+lY+MOHKEIvID+Afbi66+MnSAHSPvrCpj7f9mkHZWgS4GVoSWXujEUvok1xV+Ef+B/dQE7CjWKqNXgtyEWgWMKI/gQZdKYsvcGAg6tz5qdmbicTRqTwJiLvUwpj5dFdGJeKedOR5P2r/TSV/GHhVjwTSzg7rBgLT8zIkI="
+ }
+ },
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "AKIAR7ISFR69YWROPYAN",
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:user/christophe",
+ "principalId": "AIDA32NEE582826ECMV4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-south-3r",
+ "eventCategory": "Management",
+ "eventID": "9a6353be-6cb8-4a0c-ab85-a46dbd3a2b71",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "900138736586",
+ "requestID": "7197a903-38a0-4e24-8683-dc858142b3c8",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "roleSessionName": "aws-go-sdk-1722511821294449000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "accountId": "900138736586",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "assumedRoleId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIAYY9090UIYYUOIF2U",
+ "expiration": "Aug 1, 2024, 11:45:21 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMSJHMEUCIFzpG0H/IrDX9P0i5y29VWSdkBXkBTwULxR2KkPh4ApdAiEAiHLNdMOheLhjTV5lDnR7oekWR9V+zoDdU90CcpsOup0qqwIIdRABGgw3NTEzNTMwNDEzMTAiDK3uxtzFnKLcVORn9iqIAqQXShn68h/gmprileycyOQFlWvnjmy3JfNIoxpWT7miaEUekUaAVn9qGLQal+2Hyz4mqucWSFP4WCbDL+e5iS1xSz+oMowhtVvThjHV1AmKqxhivS1aoPOsy/P+NrxOyWSPyKuxyOn4khyFjsqDKc221zk5OFx+FqU+77es30KeJT4tJuRzwly679cnX9uUq0Y57yuIaHfAPFVy10EBeajT9wjI2/K9QJCcqKsshspDBRORU5PYiGJnCrcXy2SmumtW6EvH23kIUxYXE+Jv6aTrSCqo1kQDUvP+xYIxBYKR4Kn4zcVZUTgZC3k+plWaRThN/tSfA0aI67O61NQCn/Y0UUL0+5j0kTDN4621BjqdAay4li3+cvLrvgpNdyIMex2CAQbDOKEDCKe00MpLPka3vIDPDANof9D9SPJaynXl7b3t+fKxhMRo8MGyh/37wYhrD26qPAzbFA+Av75KyjEigzAsEyBYhi1Ix2nIYjm9jei10p0yiH1QSGerutzp1UQanzfgyzMpAtVJzy99kRFVKHE8j/rP5jc+iZFNdcDvYbs0tl9bP7kUFNDlVXg="
+ }
+ },
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "AKIAR7ISFR69YWROPYAN",
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:user/christophe",
+ "principalId": "AIDA32NEE582826ECMV4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md b/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md
index b96d1e838..c96976a25 100755
--- a/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md
+++ b/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md
@@ -24,7 +24,6 @@ References:
- https://hackingthe.cloud/aws/exploitation/local-priv-esc-mod-instance-att/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
Warm-up:
@@ -56,3 +55,1457 @@ expected that the user data of an EC2 instance changes often, especially with th
provisioned before instantiation.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:DescribeInstances`
+
+- `ec2:StartInstances`
+
+- `ec2:ModifyInstanceAttribute`
+
+- `ec2:StopInstances`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 46 86 126 182 222 259 299 339 379 419 459 499 539 579 619 659 699 739 779 819 859 899 939 979 1019 1059 1099 1139 1179 1219 1259 1299 1339 1379"
+
+ [
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "759fa0d5-d7d6-4de3-97f0-c469d1a0f92c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "a9c78483-c047-4215-94c6-89794dd3b44e",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "914d32bb-067a-413c-adb1-cc8c4600261c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "977121cb-f370-439d-9aa3-5dea3af27c6a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "b38fe645-91d4-404b-8d64-024a6f7e00cd",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "fff5f8d6-d152-4d32-913e-a5fedaa6aa2f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "55e470c0-611d-4549-ad87-a7c830a75063",
+ "eventName": "StartInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "0c9bbf8a-a6f6-4e64-8396-78017a647f26",
+ "requestParameters": {
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": {
+ "instancesSet": {
+ "items": [
+ {
+ "currentState": {
+ "code": 0,
+ "name": "pending"
+ },
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "previousState": {
+ "code": 80,
+ "name": "stopped"
+ }
+ }
+ ]
+ },
+ "requestId": "0c9bbf8a-a6f6-4e64-8396-78017a647f26"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "9e6d9e21-0c9c-49f7-b2b6-59c863d7a6a3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2ff3ad22-ffc2-4926-bbdd-15356ec9bd4a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "f634894e-d625-4b7b-b1c1-50354cc1100e",
+ "eventName": "ModifyInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "5c0d7f09-a80a-4313-b848-bc858fa4a8ad",
+ "requestParameters": {
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "userData": "\u003csensitiveDataRemoved\u003e"
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "5c0d7f09-a80a-4313-b848-bc858fa4a8ad"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8730ad3a-d87e-4463-aaba-d600442be64c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "4ddaaecc-3c8d-420f-8646-977ad02fbbe5",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "50019cea-afa8-4dc4-b61d-b9454e6d2aba",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "277adb54-968d-4460-aeaa-a59d65139225",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "ae0d4f37-4d8c-49e1-ab78-2c7157ffc9d3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "b38aa588-4cc4-4279-8117-2d1d06d8ff1f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "daeb8d2a-a83b-4a37-8ba3-e60b3d0b69d1",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "e1ae237b-0241-4999-be50-44fd16f7e368",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "c751234f-ec7b-40d7-af60-188d8749b08f",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "398556fa-3fe5-4872-9d6f-a994e54731ed",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "bed3162f-6f64-4f6f-b08b-78d3ac9b9066",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6e302813-c59e-49bc-ba23-89109cd64119",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "42d2c954-4b4c-4889-ad26-80796fe87025",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "8e3e3e2d-9593-442e-b8e5-335362f0a5df",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "2a1cbb02-88fd-4405-90f8-7d5bcb65b0f3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6d4d0e20-28c5-4bb0-90f2-57dfdc42aeab",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "56b0bf8c-92fe-460c-aaa6-ba5b9d816bea",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "a5ae54e8-dbcc-498c-ba6c-b7caff1d8302",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "5e44de78-52a2-4d5b-9b85-715f68110d00",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6a7b7a28-eaa1-4a78-b7db-d5eb9b687773",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7d0f96bf-ca3b-4bb6-b9ea-2cb20cbd3f64",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "21738dd4-cde5-4783-a4d9-341ffbb3d0f0",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "10469acd-d180-4b62-a768-15726f788cf6",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "cf1342c3-7142-4ce3-ace0-c3d6cb8ef53d",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "273a42f8-7c86-43f9-aabd-a698d0c5931a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "3d41ca74-ae92-45de-ab0e-3c7ad6a38c24",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "b788f6c8-3155-4d3b-ac7d-9fd49e6be119",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "bf4fb83d-1fea-48c5-ab76-8914ce05ade1",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8ced3c60-7e3a-447a-9abe-c80ea783e54a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2ff0ddac-4e87-448d-817e-5ec5e0d62ffa",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "933be44e-6ef0-44f6-a64b-99f067a71cd8",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "5bc0fc4e-a4fc-40b9-8a28-621a02c58e55",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7eba0527-9926-4c43-8670-a4a1d2b8a466",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6434fc93-d1b5-44f6-9d82-5323e1059b23",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7a03fd83-ae64-41b4-b109-f672ccf01377",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "1758f71e-47d0-4fa3-9875-315bc7183bb3",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "e787e1ad-fa7c-4b91-9587-9beffd68488a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "e9c76e24-ef65-4fdc-b30e-145643c6913a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "40afc14c-3dd8-4195-b4d3-89f1173d368f",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "ed3889da-12fc-434b-8e5d-5bcf122b46fe",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8bc46582-5202-4857-879e-b57a94862895",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "1b8980f2-0a5e-4e6a-8a5a-82a4982d4a36",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7470d5b5-0e71-4bd2-9809-8b8e9499b8e2",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:40Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2d9bbbbf-86ab-4e36-8f44-66b9cc568571",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "570ab1e6-8222-4db2-a688-6c1a37cc9968",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "33647962-fb50-4bc9-9465-13d237860e4f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "9ed4f1c7-607c-4c88-bcb6-053a03fd30cc",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "88449386-205f-4091-b667-5b9efc5ce256",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7c46e00c-5eba-40c4-8a5c-3788c10af6fd",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "40f0177a-b1a4-44a4-b6c5-87fd9e44849e",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "4edfbd95-32ab-4abc-9b07-5e371a9af5da",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "cc43b6de-04d9-4435-9ecc-46a575b0950d",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8ffd8499-55e5-4487-b1c8-f73ab389db84",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:32Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "0a967e8c-b6ed-4870-aec5-edca45b2e00c",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "bfdbd679-9ac4-41e0-84f6-2be3ac12d3e5",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "14975c6a-e0f8-4abf-b731-5a21a8249464",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "d373b5dd-6a82-439d-bdcf-4e6c7c7a9292",
+ "eventName": "StopInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "088dba72-717e-4502-a3c5-5c95f22f87c1",
+ "requestParameters": {
+ "force": true,
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": {
+ "instancesSet": {
+ "items": [
+ {
+ "currentState": {
+ "code": 64,
+ "name": "stopping"
+ },
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "previousState": {
+ "code": 16,
+ "name": "running"
+ }
+ }
+ ]
+ },
+ "requestId": "088dba72-717e-4502-a3c5-5c95f22f87c1"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md b/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
index 4d0986579..212d70a50 100755
--- a/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
+++ b/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
@@ -33,7 +33,6 @@ References:
- https://www.chrisfarris.com/post/aws-ir/
- https://www.invictus-ir.com/news/aws-cloudtrail-cheat-sheet
- https://securitycafe.ro/2023/01/17/aws-post-explitation-with-ssm-sendcommand/
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
## Instructions
@@ -66,3 +65,2391 @@ Identify, through CloudTrail's SendCommand event, especially when <
While this technique uses a single call to ssm:SendCommand on several instances, an attacker may use one call per instance to execute commands on. In that case, the SendCommand event will be emitted for each call.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ssm:GetCommandInvocation`
+
+- `ssm:SendCommand`
+
+- `ssm:DescribeInstanceInformation`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 48 90 132 174 216 258 300 342 384 426 468 510 552 594 636 678 720 762 804 846 888 930 972 1006 1040 1074 1162 1204 1238 1280 1322 1364 1406 1448 1490 1532 1574 1616 1658 1700 1742 1784 1826 1868 1910 1952 1994 2036 2078 2120 2162 2204 2246 2288 2330"
+
+ [
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "4723aee9-d1e5-4e32-b48c-0ec39a6d84ea",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:27Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6edac2c5-52c8-4de5-9d8f-2d1bdc2f9e8b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bbef7fa1-ec6b-42ca-ae50-a95610fc81d3",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:26Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "083a9fde-def5-4328-bbab-1bd8b0c137cb",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d6738500-de0a-4a7d-af41-c42225b1d627",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "cdf0af8d-32e8-4094-b5ad-0ad6aa898a2b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "5ceab743-d517-46d5-b162-bf881ae0be0c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "b48c0a2a-5c9b-4bd9-9e2a-74c84a55aefe",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "df4e2a35-15df-4329-9b51-f260dcefba7b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "fe3cc368-5dd9-4629-8db6-966b9b396005",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "414a9a7c-01f3-4acc-9b55-bf1f677e3a54",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6425b4c5-5688-4d8f-8165-cf0b565cdb72",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2c1e26d1-6685-4640-ba79-81149872d066",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0ea54e95-cde4-4aec-9ef3-d28f44594966",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "a4ca6ef1-b00e-476a-8dcf-6b1b2e75b335",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0c49d64c-5995-485c-930f-fbb3fcda42ab",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2b3aacaa-3e89-405c-b53b-f99a0555661d",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "2abe2e44-53f2-4207-825e-dc569c2be9f5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2610da37-3b46-48b2-82b3-59e0c77c9db0",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c2320169-a590-4aa4-bfbe-73d0eef783fa",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "04151503-f5e2-4356-abdd-14b08e2285ef",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "61a85904-a3b8-4dd6-aaef-2efd548cf9ae",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "898fc3e2-242e-48f1-a560-8b835d90bdee",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "8931849b-3dbb-440f-ac27-1fb5d4890d3b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "411687aa-d840-40f7-ae31-adb0619c0401",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:09Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "003bfa5a-ef20-46b7-bf79-8a11a49ab14e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ff20ced4-0e3c-42a7-9ed9-f32cd2cbb672",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0234c68e-9ebe-4fc5-81ab-798de9bdc451",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e0643796-b464-4e13-8680-00c6dc57ef72",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:07Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "1543ba41-1625-45c3-8f4f-ab5463d68b02",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1540ea9a-4d6b-45b5-b84d-e9711e7801fb",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0e53ee03-5e82-4bcc-80fe-1f5929260121",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0d989ab9-09ae-44c4-9dc8-3f3c9aa4f4b1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "cdea3227-f206-4316-8ba4-980b36f6124a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ab4521b5-0b95-4e01-bc57-9124138b6d07",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "581d7a02-356c-4b34-88ff-0570f6fb1d2b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "150f7722-557f-47a7-849c-5c44cba78e2e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "3674ec77-adc1-4474-aad5-a1a6fed8b8d4",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "c68a4a51-cfc2-490d-86da-f0aff1e000e6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "ab1a6ced-43d6-459c-b67b-6c1acb255fd8",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2582b47b-76b8-4eb4-a455-9f97b000d38a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "fe6366b5-7c41-4a98-ab58-fa895d8d71f8",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "aa35aa1c-1989-4beb-a540-2a47b88a2119",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:07:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "7c848a81-1e4b-4457-a067-ede23efb8f96",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0d86f878-d8c0-475c-8079-2a1243666e45",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:07:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "914d4883-5725-4059-bf32-8b240cd2be40",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bab0e5ba-5a43-467d-9460-dd801d9e9ad8",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "55198b26-f77b-4ef8-9259-bb347696f512",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-9D40CCFc0aE91CFa5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "b2c7717c-e542-422f-a78d-590536c174cb",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "3a1aa185-9cc4-4d58-933c-c2a6ad37c730",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-00456A8D163f546Ff"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e0b17230-9c13-482a-a0f0-d93c6bd4fb8e",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "dd526977-54b5-4951-bdb4-b9e542af402b",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-cfE23b1a7ceba6f86"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "5288bfb8-e3fa-4c41-be02-6853521afe8b",
+ "eventName": "SendCommand",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "056392974792",
+ "requestID": "1479b5e1-9751-4bf1-b548-cdd8108e85a6",
+ "requestParameters": {
+ "documentName": "AWS-RunShellScript",
+ "instanceIds": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ],
+ "interactive": false,
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ },
+ "responseElements": {
+ "command": {
+ "alarmConfiguration": {
+ "alarms": [],
+ "ignorePollAlarmFailure": false
+ },
+ "clientName": "",
+ "clientSourceId": "",
+ "cloudWatchOutputConfig": {
+ "cloudWatchLogGroupName": "",
+ "cloudWatchOutputEnabled": false
+ },
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "comment": "",
+ "completedCount": 0,
+ "deliveryTimedOutCount": 0,
+ "documentName": "AWS-RunShellScript",
+ "documentVersion": "$DEFAULT",
+ "errorCount": 0,
+ "expiresAfter": "Aug 2, 2024, 11:08:56 AM",
+ "hasCancelCommandSignature": false,
+ "hasSendCommandSignature": false,
+ "instanceIds": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ],
+ "interactive": false,
+ "maxConcurrency": "50",
+ "maxErrors": "0",
+ "notificationConfig": {
+ "notificationArn": "",
+ "notificationEvents": [],
+ "notificationType": ""
+ },
+ "outputS3BucketName": "",
+ "outputS3KeyPrefix": "",
+ "outputS3Region": "sagov-westsouth-1r",
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "requestedDateTime": "Aug 2, 2024, 9:08:56 AM",
+ "serviceRole": "",
+ "status": "Pending",
+ "statusDetails": "Pending",
+ "targetCount": 3,
+ "targets": [],
+ "timeoutSeconds": 3600,
+ "triggeredAlarms": []
+ }
+ },
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "8e1d1d98-6f88-4ce9-8e62-c1ec1a598408",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5e34f5e1-11f1-481f-a435-c6124bd640d2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e470e8f0-fbf0-42c1-a751-b271929bfa22",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c6b8d64a-b975-4306-a8ac-17671377c2af",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-00456A8D163f546Ff"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ad342d3d-e850-41c3-b3a6-3e5cf0b382d3",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6fd7d6fe-4452-462c-bf9c-c93daec119d6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "486ae737-1798-4c36-a90a-20d61f22d678",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4dd32dc2-26bc-4d9a-a469-56c65a55f45e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6643948a-9472-4f72-b1ff-8ddcfedca235",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0605e0fd-df0a-493a-a915-832b50c17164",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "cd49199d-ffdc-46bf-acae-e6c6d73e215a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "65bc968b-731a-4dd5-93aa-3bfebcf16f85",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "53407d54-9944-4317-a20f-d9a52c2a35ee",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "80ee2eb6-d794-4ac3-b2fb-6b9b40936d61",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6f1a2b4e-89a5-43f0-8ef4-6f3ecd9e04dc",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5a765f60-eddc-4efe-bb7f-57b018f5c76a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "fdcf7d26-3ffb-4e35-8534-933b6ced55b5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "42651f04-5238-4f63-889b-bee7734d29e0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1a5374a3-1223-46dc-b3c4-a0336179f22b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:46Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "f12f2209-52ba-4064-8e48-45a70ed55437",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1fc0903a-bdd5-4a31-a15e-84efb05530dd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "54a4713e-2480-4b3c-95de-ffa6f061f6db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "b43fdb25-5caf-4203-b2f4-5fd4d40344b0",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:44Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c2342054-aa38-41f4-b1b9-702828726730",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "97a253c0-5e84-4d78-8412-a420695ba4dc",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "398704b7-2c17-4cb2-8efb-f27ef8f775fe",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e4be349d-0420-4ee9-b8da-7f8b76c4d883",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:42Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5db544de-5064-4bf2-ba19-ea2a882281bc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "55b6e5a7-e4e8-4b81-b822-75905525c193",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "2654285f-1d76-4224-9224-4a3968f16a3f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "c0679959-5bf1-4aaf-9f78-f436c35da4b2",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "1545c090-8ecf-4cae-9db0-a2da1e103f23",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bf330a73-3600-4a88-a3c9-837c82fd6431",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "409166a6-71c7-4a1c-b1dd-7972ec637a0c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d303c923-1ad3-4333-a78c-5ba0d713df14",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "29eb2c6a-3d0a-4b1c-b643-ad80f5faee5f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "7cf67dfd-fedc-4494-acbe-3fab7e1808a1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "9525e5ee-669c-40a2-a8d2-33cebb0ee895",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e666a3d4-db2f-4ac2-b0ba-63531a949154",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "34ea6034-0028-46cd-94f5-54ffb4c5ba02",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ff0452d7-bef3-47ba-b641-e4b10f50f3c4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "135ea4ff-0e59-4771-b541-326b904dfd70",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2253ede9-2382-41fa-8302-b25ecf0f11ac",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0c664d14-0f8b-44da-896d-80b7dae05a2c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "9b6c78ee-98ba-4ddd-9dae-aa4d3a57e89c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "f55872e1-6dad-42be-a18d-c7bd64ef9f6d",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1ac28c35-ee6f-41a4-97bd-ae8e44363660",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c274e01e-2045-4415-bd71-c8744107618e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d3471df2-fc63-479b-9920-4ac3c9c32357",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:29Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "00d4a58a-00a8-4116-b391-beaa8aa1c0db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0745f3f1-b181-4395-a2dc-243becae570e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4b2f5fd6-3620-4aa7-bf3e-7da9d27bec85",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "804c4178-75cd-4d83-b04f-960f47961a75",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "bec61003-0f60-45c0-9256-116efb6d15aa",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "73518501-d83c-4d7e-8dbd-2154928d76f7",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4c950f64-59ff-4fce-9a69-32ef10f96872",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6e3e5c56-66d8-4e23-9a89-8498651357d5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "8c004773-45de-49ee-aab8-44a83effbfd6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md b/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
index 9e11cdafe..2fbd64820 100755
--- a/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
+++ b/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
@@ -32,7 +32,6 @@ References:
- https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac (evidence of usage in the wild)
- https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#session-manager
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
## Instructions
@@ -61,3 +60,1207 @@ Identify, through CloudTrail's StartSession event, when a user is s
```
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ssm:DescribeInstanceInformation`
+
+- `ssm:TerminateSession`
+
+- `ssm:StartSession`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 48 90 132 174 216 258 300 342 384 426 468 510 552 594 636 678 720 762 804 846 888 930 972 1007 1044 1079 1116 1151"
+
+ [
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "ab04bb55-b6d5-492b-8697-9d11867c6c43",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "c98780a2-d6a4-4114-91b0-a28a2a0842b3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "5ccb707e-ea1c-4ae5-acb1-2039ca8908ec",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "089ef7a1-3dd7-4b8c-a59d-d169df9b4316",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "75d83a2a-99a3-4808-ade4-fe692446096b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "9d1129f2-f619-4690-bab2-b097875b913f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "9a3b3ce3-c139-46e2-be9b-920f6c670c42",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "45eb28df-eda5-4b72-8e11-3b37679681a0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "b8a73842-fae3-40a9-85b3-515a1a07d582",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "cb435a50-9023-4ded-a904-6f448738ee31",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "554070cc-5bc1-4894-9880-c75a15ac78a2",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "8eb080f2-3c5d-447c-bad2-d4ceebe8bfd2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "6844ea57-f22c-42e1-ae5b-709d8fc2c36b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:09Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "84c1b5d3-c365-469c-917b-cc317aed7d43",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "913f3327-0ef4-4acb-a3a2-325ddcbda947",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "1b58a0d1-b841-4234-ad41-25faee08b985",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "b045bced-b93a-4e6c-a1b8-2011fe92b93a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "ab3f6858-2db0-413f-9b21-09997a048505",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "0f520fea-16a0-459f-bf72-21efd8457cb1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "6ca20f16-71aa-4794-8884-36989a3b7bc6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "9546b899-0954-4c25-bbfb-a588f2a072c6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "ec65f81b-3145-4abd-a992-1de519835cad",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "4ddacdbc-fba5-4298-9f8d-90b7ab937844",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "270fe471-7761-411c-a5c8-8aef5d50b090",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "26e75a55-97b5-4ec0-a061-74460a26659d",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "9f172d90-39e1-46ba-9271-e18d349f22ff",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "f25d2e8c-bf82-4cb5-9a80-a72bd83d85cf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "0d98546c-6b0b-4d0c-a73c-68059eb76792",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "fd5300fb-d315-4ed3-b9e7-ca1b92a5d394",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "44bae06a-b763-4952-8832-41fc6ad7302c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "22af1364-f2e4-41eb-bb18-f1738e807acf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "af97f2a9-e028-4735-a6c6-9124b6679d5d",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "12794adb-6096-4389-9756-e98a5dca6d67",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "b3335448-07b5-4095-982d-b1b34a832ec5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "19e72b5f-adba-48cc-ab37-53756ed926d5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "a057578e-d65b-43a5-bb03-9914d7e1d069",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a5578e6e-e935-4b5f-9d9e-7af60f7999e4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "8ea8e04e-b423-4651-878a-c81a60213c16",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a7175b36-d81e-4865-be81-212ca57308df",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "09a037ea-6fe5-4df3-bfeb-62c2de373b83",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "5bdf2db7-edd7-42cd-82f1-ee0196606656",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "6fb104db-448f-4055-b30c-c72cdc9cabcc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "03ba7d84-509a-4bb9-bc48-959aa989b5ff",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "796082ea-1ed9-422e-8316-c8696499cd1e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a29037ea-ed15-4025-9a54-ff70f11ca95c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "5f7f7d07-7c66-41aa-8fb8-dacd955626df",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "f8f0460c-476b-42b7-9cfb-cd6345e2aad1",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "9147312c-7312-46d4-aa91-798728055424",
+ "requestParameters": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u"
+ },
+ "responseElements": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "8086b250-d29c-4659-9aec-86c8446a3895",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "d81b3311-b5aa-4782-ab43-c7af5e237aee",
+ "requestParameters": {
+ "target": "i-eA1d1296c1dE3Aa1f"
+ },
+ "responseElements": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-wzleysigzmbd6fmkefjqvt5w4u?role=publish_subscribe\u0026cell-number=AAEAAbIWRNYnEkrB64bhGiedJQR3zYzBwUJyTNxc854+f3IBAAAAAGarfUW5QwfI91t6LkgX/EqdDx6EluDPvaUGK2bMPeDUpZ8JCNDVkDD7",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "131c198f-7042-4c88-be71-545471d55f4c",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "577db5d7-12b4-49a6-87eb-6ea2890065bd",
+ "requestParameters": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e"
+ },
+ "responseElements": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "10057a87-1da5-4c7d-a411-e41543dc91f5",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "5cc369d7-d3e9-41e0-a677-14e8c9c18c8e",
+ "requestParameters": {
+ "target": "i-d0b6DCBA8984dE148"
+ },
+ "responseElements": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-s7uathgenk3m4qa2s33wio5gpu?role=publish_subscribe\u0026cell-number=AAEAASNZon/688w6/ZL2nfwe5JxliimfvbKltR2/CMq9mU3DAAAAAGarfUU7baqkmRTOTruWRhsNBxa9VYTF4cuEPM/a0XdVPGUYQNU1KAa3",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "60fd77a0-1ce9-40a1-b24b-0a598a169de9",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "ca9f1a4d-f89b-468d-9858-8e628165c8e7",
+ "requestParameters": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu"
+ },
+ "responseElements": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "32e8a07f-4751-4081-882e-958a25231c56",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "bfa7688d-0e78-4252-b5f6-1a445c82f109",
+ "requestParameters": {
+ "target": "i-d3720C7af6fCfF2B2"
+ },
+ "responseElements": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-bkqs75qpcrtlxk5paaytrydm2e?role=publish_subscribe\u0026cell-number=AAEAAeHX0bqbU5dmbfb/NJVjO7TQopSahDHtyQVUjSI6yFXSAAAAAGarfUSzqvoBC+mhEuJQf0+1Y3iTcwzVAhL1LviE3BBll/7GdCowEhwg",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
index 4dd06f70e..7cac459ba 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md
@@ -42,3 +42,76 @@ You can use the CloudTrail event AuthorizeSecurityGroupIngress when
- and requestParameters.fromPort/requestParameters.toPort is not a commonly exposed port or corresponds to a known administrative protocol such as SSH or RDP
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:AuthorizeSecurityGroupIngress`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "us-northeast-1r",
+ "eventCategory": "Management",
+ "eventID": "9fd68588-ecbf-4528-a345-199fa6bb0821",
+ "eventName": "AuthorizeSecurityGroupIngress",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:23:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "032092706103",
+ "requestID": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
+ "requestParameters": {
+ "cidrIp": "208.236.235.254/0",
+ "fromPort": 22,
+ "groupId": "sg-003dc7f1f1c686164",
+ "ipPermissions": {},
+ "ipProtocol": "tcp",
+ "toPort": 22
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
+ "securityGroupRuleSet": {
+ "items": [
+ {
+ "cidrIpv4": "208.236.235.254/0",
+ "fromPort": 22,
+ "groupId": "sg-003dc7f1f1c686164",
+ "groupOwnerId": "032092706103",
+ "ipProtocol": "tcp",
+ "isEgress": false,
+ "securityGroupRuleId": "sgr-09b3e3d2ca1edf2a2",
+ "toPort": 22
+ }
+ ]
+ }
+ },
+ "sourceIPAddress": "253.243.215.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.us-northeast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_1004a4ff-b486-4981-a84b-6322905f37cc",
+ "userIdentity": {
+ "accessKeyId": "AKIAXW7UJ577KFYIAHIM",
+ "accountId": "032092706103",
+ "arn": "arn:aws:iam::032092706103:user/christophe",
+ "principalId": "AIDAQ5Y2TGCDATQV6SRP",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
index 98dbe2b89..8d5151fa4 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md
@@ -53,3 +53,67 @@ An attacker can also make an AMI completely public. In this case, the item
will look like {"groups":"all"}.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:ModifyImageAttribute`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "me-south-1r",
+ "eventCategory": "Management",
+ "eventID": "1f00bcfa-e050-4c2e-b99b-768ebe3a3dd3",
+ "eventName": "ModifyImageAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:25:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "118238665043",
+ "requestID": "dd81ae39-a261-4e85-87a4-01fe22abc602",
+ "requestParameters": {
+ "attributeType": "launchPermission",
+ "imageId": "ami-de1fbCab6ccB03e6D",
+ "launchPermission": {
+ "add": {
+ "items": [
+ {
+ "userId": "846424999548"
+ }
+ ]
+ }
+ }
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "dd81ae39-a261-4e85-87a4-01fe22abc602"
+ },
+ "sourceIPAddress": "253.19.58.252",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.me-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a532baf6-7731-4c0f-b089-48508276f787",
+ "userIdentity": {
+ "accessKeyId": "AKIA40XZ2OQU8R4QKTAC",
+ "accountId": "118238665043",
+ "arn": "arn:aws:iam::118238665043:user/christophe",
+ "principalId": "AIDAYO61EC4B4W5G6BXN",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
index f84941975..3d547c829 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md
@@ -81,3 +81,67 @@ In that case, userIdentity.accountId contains the attacker's accoun
Note that detonating this attack technique with Stratus Red Team does *not* simulate an attacker accessing the snapshot from their account (only sharing it publicly from your account).
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2:ModifySnapshotAttribute`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "me-central-3r",
+ "eventCategory": "Management",
+ "eventID": "6897ff63-d738-445c-9e86-43e5b1f8e12f",
+ "eventName": "ModifySnapshotAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:28:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "756680937392",
+ "requestID": "aeddc4a7-2043-405e-8b19-5a913367249e",
+ "requestParameters": {
+ "attributeType": "CREATE_VOLUME_PERMISSION",
+ "createVolumePermission": {
+ "add": {
+ "items": [
+ {
+ "userId": "098797384747"
+ }
+ ]
+ }
+ },
+ "snapshotId": "snap-041993b54a9b3af6f"
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "aeddc4a7-2043-405e-8b19-5a913367249e"
+ },
+ "sourceIPAddress": "253.76.43.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.me-central-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_7fcd50f2-f1da-4c82-bb7d-38b82021b080",
+ "userIdentity": {
+ "accessKeyId": "AKIAYLJU0B35TFSNKCS2",
+ "accountId": "756680937392",
+ "arn": "arn:aws:iam::756680937392:user/christophe",
+ "principalId": "AIDA7ETKRIUXU83QKECM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
index 7342dd644..6b91050da 100755
--- a/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
+++ b/docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md
@@ -51,3 +51,68 @@ Through CloudTrail's ModifyDBSnapshotAttribute event, when both:
An attacker can also make an RDS snapshot completely public. In this case, the value of valuesToAdd is ["all"].
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `rds:ModifyDBSnapshotAttribute`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "meiso-eastwest-2r",
+ "eventCategory": "Management",
+ "eventID": "fef2bf02-bbea-4d0f-a91c-e6ccfe3fba46",
+ "eventName": "ModifyDBSnapshotAttribute",
+ "eventSource": "rds.amazonaws.com",
+ "eventTime": "2024-08-01T12:38:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "171471557522",
+ "requestID": "3fd13676-52a0-4680-8491-71a8e28ea7f5",
+ "requestParameters": {
+ "attributeName": "restore",
+ "dBSnapshotIdentifier": "exfiltration",
+ "valuesToAdd": [
+ "503161813013"
+ ]
+ },
+ "responseElements": {
+ "dBSnapshotAttributes": [
+ {
+ "attributeName": "restore",
+ "attributeValues": [
+ "503161813013"
+ ]
+ }
+ ],
+ "dBSnapshotIdentifier": "exfiltration"
+ },
+ "sourceIPAddress": "204.10.215.184",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rds.meiso-eastwest-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5ca5319a-2127-4f13-a878-495bc59244b3",
+ "userIdentity": {
+ "accessKeyId": "AKIAIYTVC64GTXUFCS2X",
+ "accountId": "171471557522",
+ "arn": "arn:aws:iam::171471557522:user/christophe",
+ "principalId": "AIDA3MGXB5NR71XRJU40",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.initial-access.console-login-without-mfa.md b/docs/attack-techniques/AWS/aws.initial-access.console-login-without-mfa.md
index 766e4a6d3..1b8a2b0c7 100755
--- a/docs/attack-techniques/AWS/aws.initial-access.console-login-without-mfa.md
+++ b/docs/attack-techniques/AWS/aws.initial-access.console-login-without-mfa.md
@@ -79,3 +79,57 @@ Sample CloudTrail event (redacted for clarity):
Note that for failed console authentication events, the field userIdentity.arn is not set (see https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-aws-console-sign-in-events-iam-user-failure).
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `signin:ConsoleLogin`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="11"
+
+ [
+ {
+ "additionalEventData": {
+ "LoginTo": "https://console.aws.amazon.com/console/home",
+ "MFAUsed": "No",
+ "MobileVersion": "No"
+ },
+ "awsRegion": "eu-west-2r",
+ "eventCategory": "Management",
+ "eventID": "865d9377-9c6b-4fd7-8aad-725e95f6a140",
+ "eventName": "ConsoleLogin",
+ "eventSource": "signin.amazonaws.com",
+ "eventTime": "2024-08-02T08:53:24Z",
+ "eventType": "AwsConsoleSignIn",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "562283505220",
+ "requestParameters": null,
+ "responseElements": {
+ "ConsoleLogin": "Success"
+ },
+ "sourceIPAddress": "225.01.00.16",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "signin.aws.amazon.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fccf7123-0651-41f5-b06c-460da5ee1c94",
+ "userIdentity": {
+ "accountId": "562283505220",
+ "arn": "arn:aws:iam::562283505220:user/stratus-red-team-nmfalu-jfzdtsvchl",
+ "principalId": "AIDA1ERT0661IN5R239V",
+ "type": "IAMUser",
+ "userName": "stratus-red-team-nmfalu-jfzdtsvchl"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md b/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md
index f236399cb..a2c1b9b61 100755
--- a/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md
+++ b/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md
@@ -33,7 +33,6 @@ References:
- https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins
- https://sysdig.com/blog/2023-global-cloud-threat-report/
- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
## Instructions
@@ -59,3 +58,135 @@ Identify, through CloudTrail's SendSSHPublicKey event, when a user
```
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `ec2-instance-connect:SendSSHPublicKey`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 44 82"
+
+ [
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "0968cbec-f8df-43f3-94ba-b451aad083ed",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "1f1786bd-e04c-4fd9-af8c-6a5d69376c41",
+ "requestParameters": {
+ "instanceId": "i-fDb357cB7e99ad973",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "1f1786bd-e04c-4fd9-af8c-6a5d69376c41",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "1214f520-2eaf-4438-92ab-304bcf115296",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "b8b0d6ce-b722-4757-9649-c8a9d492a31d",
+ "requestParameters": {
+ "instanceId": "i-6D7Fb8F606130A33d",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "b8b0d6ce-b722-4757-9649-c8a9d492a31d",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "803d3bd8-44cb-4284-a4a9-cdfde3b00570",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "98b43826-b4f9-4606-bb34-191e73734cfd",
+ "requestParameters": {
+ "instanceId": "i-9d2abfF1798C34950",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "98b43826-b4f9-4606-bb34-191e73734cfd",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
index c340a963b..a5d6b9ed4 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md
@@ -66,3 +66,55 @@ stratus detonate aws.persistence.iam-backdoor-role
which generates a finding when a role can be assumed from a new AWS account or publicly.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `iam:UpdateAssumeRolePolicy`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "ca-isob-northsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "62e290e2-ee95-4a7c-a9f8-db4ef462b12d",
+ "eventName": "UpdateAssumeRolePolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:29:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "751203476945",
+ "requestID": "295ee6e3-1da9-416f-885d-ad65d876ef82",
+ "requestParameters": {
+ "policyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n },\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}",
+ "roleName": "stratus-red-team-backdoor-r-role"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "225.178.039.250",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_180e078f-4ad3-40c5-9ec3-efff37e17b25",
+ "userIdentity": {
+ "accessKeyId": "AKIAMUV7B57OZM0RV05D",
+ "accountId": "751203476945",
+ "arn": "arn:aws:iam::751203476945:user/christophe",
+ "principalId": "AIDA7SLGLLJ9LWK18E4Y",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
index 419736c1a..36145b1de 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
@@ -45,3 +45,61 @@ Through CloudTrail's CreateAccessKey event. This event can hardly b
correlated with other indicators.
'
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `iam:CreateAccessKey`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "c64c4ded-ef03-4e5c-81eb-153b118d72f2",
+ "eventName": "CreateAccessKey",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-07-30T21:53:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "946986569305",
+ "requestID": "1af58177-d743-4c94-ac1d-014721ed9b94",
+ "requestParameters": {
+ "userName": "stratus-red-team-backdoor-u-user"
+ },
+ "responseElements": {
+ "accessKey": {
+ "accessKeyId": "AKIAL80DWDVKKM0UXEER",
+ "createDate": "Jul 30, 2024 9:53:13 PM",
+ "status": "Active",
+ "userName": "stratus-red-team-backdoor-u-user"
+ }
+ },
+ "sourceIPAddress": "211.9.016.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f3f19dcd-8552-47ca-a01e-0e1f5578d15e",
+ "userIdentity": {
+ "accessKeyId": "AKIA30BEZSJBVKOFKZW0",
+ "accountId": "946986569305",
+ "arn": "arn:aws:iam::946986569305:user/christophe",
+ "principalId": "AIDAKYRO1QIPZ5M62HCS",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
index 6b85f3547..0e1cb0691 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md
@@ -52,3 +52,152 @@ can help to craft more precise detections:
- Identify a call to CreateUser resulting in an access denied error.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `iam:AttachUserPolicy`
+
+- `iam:CreateAccessKey`
+
+- `iam:CreateUser`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 40 80"
+
+ [
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "083dc4ad-e264-46bc-a407-d0dd31b58bdc",
+ "eventName": "AttachUserPolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "710f2703-6e8a-46d5-9924-b12a3a681755",
+ "requestParameters": {
+ "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess",
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "94faedcc-0fa4-46e6-9322-022e8e934f04",
+ "eventName": "CreateAccessKey",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "0ee5fc85-66bb-4602-a69e-9a5a2a3add30",
+ "requestParameters": {
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": {
+ "accessKey": {
+ "accessKeyId": "AKIAXAFZN8JEPF6L682H",
+ "createDate": "Aug 1, 2024 1:33:28 PM",
+ "status": "Active",
+ "userName": "malicious-iam-user"
+ }
+ },
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "3346344c-5a3e-429e-8405-420f98f75d6e",
+ "eventName": "CreateUser",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "64ef9c47-6b64-4c0e-8c32-eb9ffaf8a658",
+ "requestParameters": {
+ "tags": [
+ {
+ "key": "StratusRedTeam",
+ "value": "true"
+ }
+ ],
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": {
+ "user": {
+ "arn": "arn:aws:iam::229654561268:user/malicious-iam-user",
+ "createDate": "Aug 1, 2024 1:33:28 PM",
+ "path": "/",
+ "tags": [
+ {
+ "key": "StratusRedTeam",
+ "value": "true"
+ }
+ ],
+ "userId": "AIDAL1XMLVWIUOK8KAF0",
+ "userName": "malicious-iam-user"
+ }
+ },
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
index 7422748f2..b731c2897 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
@@ -77,3 +77,105 @@ which generates a finding when a role can be assumed from a new AWS account or p
```
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `iam:AttachRolePolicy`
+
+- `iam:CreateRole`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 40"
+
+ [
+ {
+ "awsRegion": "sagov-west-2r",
+ "eventCategory": "Management",
+ "eventID": "39480357-0a1d-4531-a3f2-71be4c041c25",
+ "eventName": "AttachRolePolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:37:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "609418236337",
+ "requestID": "09b3fc1c-c0c0-4e86-9bad-e0928a089e0d",
+ "requestParameters": {
+ "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "209.209.254.254",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2808a95-acc5-4508-b083-d31d6f4315d9",
+ "userIdentity": {
+ "accessKeyId": "AKIA0W5KI69TY8X86BGT",
+ "accountId": "609418236337",
+ "arn": "arn:aws:iam::609418236337:user/christophe",
+ "principalId": "AIDAK4TRC24VBN0JX8JX",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-west-2r",
+ "eventCategory": "Management",
+ "eventID": "d2905ac3-9898-433f-b10d-9302abe4e208",
+ "eventName": "CreateRole",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:37:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "609418236337",
+ "requestID": "105d4d57-6f6d-43ce-b6a4-5b67c68b4ab5",
+ "requestParameters": {
+ "assumeRolePolicyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}",
+ "permissionsBoundary": "arn:aws:iam::aws:policy/AWSDenyAll",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ },
+ "responseElements": {
+ "role": {
+ "arn": "arn:aws:iam::609418236337:role/stratus-red-team-malicious-iam-role",
+ "assumeRolePolicyDocument": "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22Principal%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws%3Aiam%3A%3A193672423079%3Aroot%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D",
+ "createDate": "Aug 1, 2024 1:37:41 PM",
+ "path": "/",
+ "permissionsBoundary": {
+ "permissionsBoundaryArn": "arn:aws:iam::aws:policy/AWSDenyAll",
+ "permissionsBoundaryType": "Policy"
+ },
+ "roleId": "AROA53G8Z8NGXMJ597G3E",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ }
+ },
+ "sourceIPAddress": "209.209.254.254",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2808a95-acc5-4508-b083-d31d6f4315d9",
+ "userIdentity": {
+ "accessKeyId": "AKIA0W5KI69TY8X86BGT",
+ "accountId": "609418236337",
+ "arn": "arn:aws:iam::609418236337:user/christophe",
+ "principalId": "AIDAK4TRC24VBN0JX8JX",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
index 00039e135..e033d9e07 100755
--- a/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
+++ b/docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md
@@ -50,3 +50,131 @@ Through CloudTrail's CreateLoginProfile or UpdateLoginProfile
In particular, it's suspicious when these events occur on IAM users intended to be used programmatically.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `sts:GetCallerIdentity`
+
+- `iam:DeleteLoginProfile`
+
+- `iam:CreateLoginProfile`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 39 72"
+
+ [
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "e544d47e-6d75-45cf-a8a9-7e90d5f7d38d",
+ "eventName": "GetCallerIdentity",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "070411556318",
+ "requestID": "8a4782c5-408f-4ff4-be0b-6e10202f385f",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ap-central-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-central-2r",
+ "errorCode": "EntityTemporarilyUnmodifiableException",
+ "errorMessage": "Login Profile for User stratus-red-team-login-profile-user cannot be modified while login profile is being created.",
+ "eventCategory": "Management",
+ "eventID": "64fb98c9-cb40-4f9a-b800-6c15e82e9be6",
+ "eventName": "DeleteLoginProfile",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "070411556318",
+ "requestID": "a0953f02-9f5f-408a-8188-427026ef914b",
+ "requestParameters": {
+ "userName": "stratus-red-team-login-profile-user"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "d3906a7d-604b-407f-acb6-fc425742821e",
+ "eventName": "CreateLoginProfile",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "070411556318",
+ "requestID": "cb603f7a-02cc-4123-9855-658655364408",
+ "requestParameters": {
+ "passwordResetRequired": false,
+ "userName": "stratus-red-team-login-profile-user"
+ },
+ "responseElements": {
+ "loginProfile": {
+ "createDate": "Aug 1, 2024 1:42:21 PM",
+ "passwordResetRequired": false,
+ "userName": "stratus-red-team-login-profile-user"
+ }
+ },
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
index dd5d1ef24..3e1381286 100755
--- a/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
+++ b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
@@ -42,3 +42,59 @@ stratus detonate aws.persistence.lambda-backdoor-function
public or accessible from another account.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `lambda:AddPermission20150331v2`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "ca-centralnorth-1r",
+ "eventCategory": "Management",
+ "eventID": "b67a9bba-d9da-4980-bf74-baed881b117d",
+ "eventName": "AddPermission20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-08-01T13:47:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "880896431042",
+ "requestID": "c84f1436-60be-4ad8-a6f7-f3c44d47df3a",
+ "requestParameters": {
+ "action": "lambda:InvokeFunction",
+ "functionName": "stratus-red-team-backdoor-f-func",
+ "principal": "*",
+ "statementId": "backdoor"
+ },
+ "responseElements": {
+ "statement": "{\"Sid\":\"backdoor\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:ca-centralnorth-1r:880896431042:function:stratus-red-team-backdoor-f-func\"}"
+ },
+ "sourceIPAddress": "151.236.251.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.ca-centralnorth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a5b48423-fe4e-446d-a058-0f2b624cdfb1",
+ "userIdentity": {
+ "accessKeyId": "AKIAYALJGCQ7J893JO5I",
+ "accountId": "880896431042",
+ "arn": "arn:aws:iam::880896431042:user/christophe",
+ "principalId": "AIDAC4Q0BJF2SN7BSHFO",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.lambda-layer-extension.md b/docs/attack-techniques/AWS/aws.persistence.lambda-layer-extension.md
index 1e3576d18..9602050bb 100755
--- a/docs/attack-techniques/AWS/aws.persistence.lambda-layer-extension.md
+++ b/docs/attack-techniques/AWS/aws.persistence.lambda-layer-extension.md
@@ -49,3 +49,105 @@ While matching this event may be impractical and prone to false positives in mos
- Identify calls to UpdateFunctionConfiguration20150331v2 where responseElements.layers includes a layer that's from a different AWS account.'
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `lambda:UpdateFunctionConfiguration20150331v2`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "eugov-eastcentral-1r",
+ "eventCategory": "Management",
+ "eventID": "da929d96-8e20-475c-a810-973addd64769",
+ "eventName": "UpdateFunctionConfiguration20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-07-30T21:57:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "712967571683",
+ "requestID": "e8dffadf-9660-4d37-805f-b6dd8ac15959",
+ "requestParameters": {
+ "environment": {},
+ "functionName": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:function:stratus-red-team-lambda-layer-simpleLambda",
+ "layers": [
+ "arn:aws:lambda:eugov-eastcentral-1r:712967571683:layer:stratus-red-team-lambda-layer-my-lambda-extension:1"
+ ]
+ },
+ "responseElements": {
+ "architectures": [
+ "x86_64"
+ ],
+ "codeSha256": "yoqgXJ3G1ROsFXLUfkxIKHbCiKf2eKCiIkxoktNUoNE=",
+ "codeSize": 258,
+ "description": "",
+ "environment": {},
+ "ephemeralStorage": {
+ "size": 512
+ },
+ "functionArn": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:function:stratus-red-team-lambda-layer-simpleLambda",
+ "functionName": "stratus-red-team-lambda-layer-simpleLambda",
+ "handler": "stratus-red-team-lambda-layer-simpleLambda.handler",
+ "lastModified": "2024-07-30T21:57:15.000+0000",
+ "lastUpdateStatus": "InProgress",
+ "lastUpdateStatusReason": "The function is being created.",
+ "lastUpdateStatusReasonCode": "Creating",
+ "layers": [
+ {
+ "arn": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:layer:stratus-red-team-lambda-layer-my-lambda-extension:1",
+ "codeSize": 2120,
+ "uncompressedCodeSize": 2672
+ }
+ ],
+ "loggingConfig": {
+ "logFormat": "Text",
+ "logGroup": "/aws/lambda/stratus-red-team-lambda-layer-simpleLambda"
+ },
+ "memorySize": 128,
+ "packageType": "Zip",
+ "revisionId": "7e710d48-c7d2-419c-b0bb-2f014bb742d8",
+ "role": "arn:aws:iam::712967571683:role/stratus-red-team-lambda-layer-lambda-role",
+ "runtime": "python3.10",
+ "runtimeVersionConfig": {
+ "runtimeVersionArn": "arn:aws:lambda:eugov-eastcentral-1r::runtime:fa339b789ded6e524b73b2ce2d1529eb06258c05ffa71ea5c8283c8dc106fbe3"
+ },
+ "snapStart": {
+ "applyOn": "None",
+ "optimizationStatus": "Off"
+ },
+ "state": "Active",
+ "timeout": 20,
+ "tracingConfig": {
+ "mode": "PassThrough"
+ },
+ "version": "$LATEST"
+ },
+ "sourceIPAddress": "211.219.255.238",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.eugov-eastcentral-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_cc572e3c-6c82-4c71-82f7-bf38ee5dbb4d",
+ "userIdentity": {
+ "accessKeyId": "AKIAUBN5AMJF3I0EG996",
+ "accountId": "712967571683",
+ "arn": "arn:aws:iam::712967571683:user/christophe",
+ "principalId": "AIDACL6MX7XSJHAMTCHM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.lambda-overwrite-code.md b/docs/attack-techniques/AWS/aws.persistence.lambda-overwrite-code.md
index c6fe96cf5..33c73679b 100755
--- a/docs/attack-techniques/AWS/aws.persistence.lambda-overwrite-code.md
+++ b/docs/attack-techniques/AWS/aws.persistence.lambda-overwrite-code.md
@@ -45,3 +45,106 @@ stratus detonate aws.persistence.lambda-overwrite-code
Through CloudTrail's UpdateFunctionCode* event, e.g. UpdateFunctionCode20150331v2.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `lambda:UpdateFunctionCode20150331v2`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6"
+
+ [
+ {
+ "awsRegion": "ap-westeast-2r",
+ "eventCategory": "Management",
+ "eventID": "4672b74f-2466-4784-b3fb-5b4db904a995",
+ "eventName": "UpdateFunctionCode20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-08-01T13:52:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "266106314375",
+ "requestID": "4ae683f5-13be-4305-8267-0d2fc47dd663",
+ "requestParameters": {
+ "dryRun": false,
+ "fullyQualifiedArn": {
+ "arnPrefix": {
+ "account": "266106314375",
+ "partition": "aws",
+ "region": "ap-westeast-2r"
+ },
+ "functionQualifier": {},
+ "relativeId": {
+ "functionName": "stratus-red-team-olc-func-vayhjqkdav"
+ }
+ },
+ "functionName": "arn:aws:lambda:ap-westeast-2r:266106314375:function:stratus-red-team-olc-func-vayhjqkdav",
+ "publish": true
+ },
+ "responseElements": {
+ "architectures": [
+ "x86_64"
+ ],
+ "codeSha256": "Pt1c8vVaBygmNtAeSyjlpdy7r8nHRqJAAL++HEGlQkc=",
+ "codeSize": 211,
+ "description": "",
+ "environment": {},
+ "ephemeralStorage": {
+ "size": 512
+ },
+ "functionArn": "arn:aws:lambda:ap-westeast-2r:266106314375:function:stratus-red-team-olc-func-vayhjqkdav:1",
+ "functionName": "stratus-red-team-olc-func-vayhjqkdav",
+ "handler": "lambda.lambda_handler",
+ "lastModified": "2024-08-01T13:52:02.000+0000",
+ "loggingConfig": {
+ "logFormat": "Text",
+ "logGroup": "/aws/lambda/stratus-red-team-olc-func-vayhjqkdav"
+ },
+ "memorySize": 128,
+ "packageType": "Zip",
+ "revisionId": "80497f44-ab61-49ef-b235-4166136e3d10",
+ "role": "arn:aws:iam::266106314375:role/stratus-red-team-olc-lambda-vayhjqkdav",
+ "runtime": "python3.9",
+ "runtimeVersionConfig": {
+ "runtimeVersionArn": "arn:aws:lambda:ap-westeast-2r::runtime:be9e7121d3264b1e86158b38dbbb656c23dff979eb481793ee37b9e2b79fda22"
+ },
+ "snapStart": {
+ "applyOn": "None",
+ "optimizationStatus": "Off"
+ },
+ "state": "Pending",
+ "stateReason": "The function is being created.",
+ "stateReasonCode": "Creating",
+ "timeout": 3,
+ "tracingConfig": {
+ "mode": "PassThrough"
+ },
+ "version": "1"
+ },
+ "sourceIPAddress": "253.8.50.132",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.ap-westeast-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_856369f3-2721-42df-974b-3243863d6f55",
+ "userIdentity": {
+ "accessKeyId": "AKIAKHYV6FI4F4CJQMDV",
+ "accountId": "266106314375",
+ "arn": "arn:aws:iam::266106314375:user/christophe",
+ "principalId": "AIDAHSKGTD3UIOD3DXXY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md b/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
index 3a39e01ec..fef2e1e86 100755
--- a/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
+++ b/docs/attack-techniques/AWS/aws.persistence.rolesanywhere-create-trust-anchor.md
@@ -52,3 +52,191 @@ stratus detonate aws.persistence.rolesanywhere-create-trust-anchor
Identify when a trust anchor is created, through CloudTrail's CreateTrustAnchor event.
+
+## Detonation logs new!
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `rolesanywhere:CreateProfile`
+
+- `rolesanywhere:CreateTrustAnchor`
+
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="6 83"
+
+ [
+ {
+ "awsRegion": "cn-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "66e5f252-e092-4ad0-9a33-a03595e05aca",
+ "eventName": "CreateTrustAnchor",
+ "eventSource": "rolesanywhere.amazonaws.com",
+ "eventTime": "2024-08-01T13:56:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "791182566784",
+ "requestID": "4f8955b7-2a80-43c8-8f56-055883a07632",
+ "requestParameters": {
+ "enabled": true,
+ "name": "malicious-rolesanywhere-trust-anchor",
+ "source": {
+ "sourceData": {
+ "x509CertificateData": "-----BEGIN CERTIFICATE-----\nMIIE3zCCAsegAwIBAgIJAOZLUn/n7YvYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\nBAYTAkVTMB4XDTIyMDcxMDIxMjgxOVoXDTMyMDcwNzIxMjgxOVowDTELMAkGA1UE\nBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDb0ga7LzegYNXV\noBTY7ByNCtgqAEoZVQAEQAxpWzK4wL4V+TKRRGiP9KQSbMsU35dBuxzg2Ih62dwr\nh6S7vYX4eU8YpGcutrWekzAl+G4GwfbHcwJYt9ALrneFUUWEedYA6BTVG0b+cwIL\nOkVJSlB/4bAVFocwafdnFi3CLsIhXF/Yn90mnug+qsXSWPMZmTXaykiO9+AWV/pO\n/JNS2WLPp4EKUT3CGm12TxBMHG0sWG0xopuj4KXTsyJFELDevSo92ldqyCIJFgG8\nwBmbETxx9TlTPEU6hVkG4MLE2ekkEQK8WVLpZvTGFRrauawMhAzfFV9ZcgIsURy7\nv2/FlYL7OedesimPfGD8M1dkm4yK2dVvUf/HyEL1IB1+3NtAOoifZ5jBBJKaybF0\n/W85asZWVg+yKokFhmQRzu4BFnPhsoTwau+WuySYokbWIEzdW8FljWpwiPlvnqy+\nVJVKdZuzWx12yLzK5srQ4Qcb/tQqkooVASM0PH5ts3PYlf5hRgxqKgCR5lXODxoA\n0aylk6+wC2oBLhvufmwObsOMcxMbPv+EQvzYChL1MRLvEPAmATiE64ZLn8IOu9MG\n9GRC6D/NkLy9LdsPWfzx+W1itrWR3ft/uD/HXILAVc54HejbZGsPsLe7qITDNc7n\nD5zM+orgu67zgRaBOm1kPZbr/vHUFQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYw\nHQYDVR0OBBYEFJNT8WprixUiturSY9GAHXmAcP/RMA8GA1UdEwEB/wQFMAMBAf8w\nDQYJKoZIhvcNAQELBQADggIBAJ1clg4GzHuMxTmpz+riL2klUZEMpJPvy682c0iH\nNlG0f30cNHdSlnhCnx78h3n1xotSM8zZf6+LepCZWCzho5p3Fep7sDumQ+chgdIp\nNApgcGX7tpx+TVjrrwkpxioMSfVFHJ7RMSewumnOXw4NsUQmGJdku8FUR7BWRRiY\nfk0MoQ9nuwjt+RcSz/IKdFTzjI70nPikjSSd0L/ovWk5aXgLcnZpgzv6r4HbafJU\n7dEnP+paZugEUts+SNXr3vkSuiLod7iiOcmQFvtRDFUAn4QonoN/6lDDOGLYsy0J\nrv9GI+Y5VYt6JRGNJq/yCBV1KhhjaWll0kl/UNxIr+hBQ5Vul9SiR3jbbNlRh1PE\nMPEAzhcqG8i3oZwwl62pjqPja+EvSuoPHf0tJ1rmjWmBt3irShSnuFN69+E4h20d\n2cHVyF4GqF2VdNPYa0lh0cSIsNCJJ5+eyXRHKPcUCKI7pDYdbKZt+8ILlZC5PsSK\nC0XsWIzqSG69Uqkm8c0P07NPmcAnGC3O92uhOrb4ytC2KyHVrNa+Bs6VYlYr3ayq\n5AVfJZGuSxldlyM0N/peEKqz9vok4FoBxxSZGDi9ZDIMjLTpypHOMXi0d8YcClFO\nlmRijJoUF95T+svxE60fdndPlleDKC8OnxvcIbS4OSK0ZqK1SFgTNaIgOniUSY6Q\nV0KM\n-----END CERTIFICATE-----"
+ },
+ "sourceType": "CERTIFICATE_BUNDLE"
+ },
+ "tags": [
+ {
+ "key": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ }
+ ]
+ },
+ "responseElements": {
+ "trustAnchor": {
+ "createdAt": "2024-08-01T13:56:39.482702201Z",
+ "enabled": true,
+ "name": "malicious-rolesanywhere-trust-anchor",
+ "notificationSettings": [
+ {
+ "channel": "ALL",
+ "configuredBy": "rolesanywhere.amazonaws.com",
+ "enabled": true,
+ "event": "CA_CERTIFICATE_EXPIRY",
+ "threshold": 45
+ },
+ {
+ "channel": "ALL",
+ "configuredBy": "rolesanywhere.amazonaws.com",
+ "enabled": true,
+ "event": "END_ENTITY_CERTIFICATE_EXPIRY",
+ "threshold": 45
+ }
+ ],
+ "source": {
+ "sourceData": {
+ "x509CertificateData": "-----BEGIN CERTIFICATE-----\nMIIE3zCCAsegAwIBAgIJAOZLUn/n7YvYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\nBAYTAkVTMB4XDTIyMDcxMDIxMjgxOVoXDTMyMDcwNzIxMjgxOVowDTELMAkGA1UE\nBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDb0ga7LzegYNXV\noBTY7ByNCtgqAEoZVQAEQAxpWzK4wL4V+TKRRGiP9KQSbMsU35dBuxzg2Ih62dwr\nh6S7vYX4eU8YpGcutrWekzAl+G4GwfbHcwJYt9ALrneFUUWEedYA6BTVG0b+cwIL\nOkVJSlB/4bAVFocwafdnFi3CLsIhXF/Yn90mnug+qsXSWPMZmTXaykiO9+AWV/pO\n/JNS2WLPp4EKUT3CGm12TxBMHG0sWG0xopuj4KXTsyJFELDevSo92ldqyCIJFgG8\nwBmbETxx9TlTPEU6hVkG4MLE2ekkEQK8WVLpZvTGFRrauawMhAzfFV9ZcgIsURy7\nv2/FlYL7OedesimPfGD8M1dkm4yK2dVvUf/HyEL1IB1+3NtAOoifZ5jBBJKaybF0\n/W85asZWVg+yKokFhmQRzu4BFnPhsoTwau+WuySYokbWIEzdW8FljWpwiPlvnqy+\nVJVKdZuzWx12yLzK5srQ4Qcb/tQqkooVASM0PH5ts3PYlf5hRgxqKgCR5lXODxoA\n0aylk6+wC2oBLhvufmwObsOMcxMbPv+EQvzYChL1MRLvEPAmATiE64ZLn8IOu9MG\n9GRC6D/NkLy9LdsPWfzx+W1itrWR3ft/uD/HXILAVc54HejbZGsPsLe7qITDNc7n\nD5zM+orgu67zgRaBOm1kPZbr/vHUFQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYw\nHQYDVR0OBBYEFJNT8WprixUiturSY9GAHXmAcP/RMA8GA1UdEwEB/wQFMAMBAf8w\nDQYJKoZIhvcNAQELBQADggIBAJ1clg4GzHuMxTmpz+riL2klUZEMpJPvy682c0iH\nNlG0f30cNHdSlnhCnx78h3n1xotSM8zZf6+LepCZWCzho5p3Fep7sDumQ+chgdIp\nNApgcGX7tpx+TVjrrwkpxioMSfVFHJ7RMSewumnOXw4NsUQmGJdku8FUR7BWRRiY\nfk0MoQ9nuwjt+RcSz/IKdFTzjI70nPikjSSd0L/ovWk5aXgLcnZpgzv6r4HbafJU\n7dEnP+paZugEUts+SNXr3vkSuiLod7iiOcmQFvtRDFUAn4QonoN/6lDDOGLYsy0J\nrv9GI+Y5VYt6JRGNJq/yCBV1KhhjaWll0kl/UNxIr+hBQ5Vul9SiR3jbbNlRh1PE\nMPEAzhcqG8i3oZwwl62pjqPja+EvSuoPHf0tJ1rmjWmBt3irShSnuFN69+E4h20d\n2cHVyF4GqF2VdNPYa0lh0cSIsNCJJ5+eyXRHKPcUCKI7pDYdbKZt+8ILlZC5PsSK\nC0XsWIzqSG69Uqkm8c0P07NPmcAnGC3O92uhOrb4ytC2KyHVrNa+Bs6VYlYr3ayq\n5AVfJZGuSxldlyM0N/peEKqz9vok4FoBxxSZGDi9ZDIMjLTpypHOMXi0d8YcClFO\nlmRijJoUF95T+svxE60fdndPlleDKC8OnxvcIbS4OSK0ZqK1SFgTNaIgOniUSY6Q\nV0KM\n-----END CERTIFICATE-----\n"
+ },
+ "sourceType": "CERTIFICATE_BUNDLE"
+ },
+ "trustAnchorArn": "arn:aws:rolesanywhere:cn-northsouth-3r:791182566784:trust-anchor/4d07f6a0-1c50-44d3-951b-b68b783daa0a",
+ "trustAnchorId": "4d07f6a0-1c50-44d3-951b-b68b783daa0a",
+ "updatedAt": "2024-08-01T13:56:39.482702201Z"
+ }
+ },
+ "sourceIPAddress": "221.252.237.0",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rolesanywhere.cn-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2e652c1-ed4b-4402-b3b0-136ef4c9ace7",
+ "userIdentity": {
+ "accessKeyId": "AKIA3SBEM4QSKES6Z5F9",
+ "accountId": "791182566784",
+ "arn": "arn:aws:iam::791182566784:user/christophe",
+ "principalId": "AIDADMWJD73A3SNMRPEY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "aebbe7b5-7cfb-4b00-a30c-48078fedffd8",
+ "eventName": "CreateProfile",
+ "eventSource": "rolesanywhere.amazonaws.com",
+ "eventTime": "2024-08-01T13:56:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "791182566784",
+ "requestID": "4f6be2aa-b5b3-4f95-bad6-5751f3904fbf",
+ "requestParameters": {
+ "durationSeconds": 3600,
+ "enabled": true,
+ "name": "malicious-rolesanywhere-profile",
+ "roleArns": [
+ "arn:aws:iam::791182566784:role/stratus-red-team-trust-anchor-role"
+ ],
+ "tags": [
+ {
+ "key": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ }
+ ]
+ },
+ "responseElements": {
+ "profile": {
+ "acceptRoleSessionName": false,
+ "attributeMappings": [
+ {
+ "certificateField": "x509Issuer",
+ "mappingRules": [
+ {
+ "specifier": "*"
+ }
+ ]
+ },
+ {
+ "certificateField": "x509SAN",
+ "mappingRules": [
+ {
+ "specifier": "DNS"
+ },
+ {
+ "specifier": "URI"
+ },
+ {
+ "specifier": "Name/*"
+ }
+ ]
+ },
+ {
+ "certificateField": "x509Subject",
+ "mappingRules": [
+ {
+ "specifier": "*"
+ }
+ ]
+ }
+ ],
+ "createdAt": "2024-08-01T13:56:39.832628281Z",
+ "createdBy": "arn:aws:iam::791182566784:user/christophe",
+ "durationSeconds": 3600,
+ "enabled": true,
+ "name": "malicious-rolesanywhere-profile",
+ "profileArn": "arn:aws:rolesanywhere:cn-northsouth-3r:791182566784:profile/910042eb-8463-427d-8095-6fd60ac303d9",
+ "profileId": "910042eb-8463-427d-8095-6fd60ac303d9",
+ "roleArns": [
+ "arn:aws:iam::791182566784:role/stratus-red-team-trust-anchor-role"
+ ],
+ "updatedAt": "2024-08-01T13:56:39.832628281Z"
+ }
+ },
+ "sourceIPAddress": "221.252.237.0",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rolesanywhere.cn-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2e652c1-ed4b-4402-b3b0-136ef4c9ace7",
+ "userIdentity": {
+ "accessKeyId": "AKIA3SBEM4QSKES6Z5F9",
+ "accountId": "791182566784",
+ "arn": "arn:aws:iam::791182566784:user/christophe",
+ "principalId": "AIDADMWJD73A3SNMRPEY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+ ]
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
diff --git a/docs/attack-techniques/azure/azure.execution.vm-custom-script-extension.md b/docs/attack-techniques/azure/azure.execution.vm-custom-script-extension.md
index 1cbd88c5f..40044edf5 100755
--- a/docs/attack-techniques/azure/azure.execution.vm-custom-script-extension.md
+++ b/docs/attack-techniques/azure/azure.execution.vm-custom-script-extension.md
@@ -23,7 +23,6 @@ References:
- https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows
- https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2/
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
Warm-up:
diff --git a/docs/attack-techniques/azure/azure.execution.vm-run-command.md b/docs/attack-techniques/azure/azure.execution.vm-run-command.md
index dc87a6066..d52ecd74c 100755
--- a/docs/attack-techniques/azure/azure.execution.vm-run-command.md
+++ b/docs/attack-techniques/azure/azure.execution.vm-run-command.md
@@ -28,7 +28,6 @@ References:
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/run-command
- https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1/
- https://go.crowdstrike.com/rs/281-OBQ-266/images/report-crowdstrike-2023-threat-hunting-report.pdf (page 34)
-- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
Warm-up:
diff --git a/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md b/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md
index 8672d001e..316bb5ab2 100755
--- a/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md
+++ b/docs/attack-techniques/kubernetes/k8s.persistence.create-admin-clusterrole.md
@@ -34,4 +34,4 @@ Creates a Service Account bound to a cluster administrator role.
```bash title="Detonate with Stratus Red Team"
stratus detonate k8s.persistence.create-admin-clusterrole
-```
\ No newline at end of file
+```
diff --git a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md
index 57cb2bac3..f91dce02c 100755
--- a/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md
+++ b/docs/attack-techniques/kubernetes/k8s.privilege-escalation.hostpath-volume.md
@@ -38,4 +38,4 @@ References:
```bash title="Detonate with Stratus Red Team"
stratus detonate k8s.privilege-escalation.hostpath-volume
-```
\ No newline at end of file
+```
diff --git a/docs/css/extra.css b/docs/css/extra.css
index 63c10bdff..e42371c9d 100644
--- a/docs/css/extra.css
+++ b/docs/css/extra.css
@@ -18,4 +18,15 @@
font-weight: bold;
opacity: 1;
color: white;
+}
+
+.beta-badge {
+ background-color: #ff9800;
+ color: white;
+ padding: 0.2em 0.5em;
+ font-size: 0.8em;
+ border-radius: 3px;
+ vertical-align: middle;
+ margin-left: 0.5em;
+ font-weight: bold;
}
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.credential-access.ec2-get-password-data.json b/docs/detonation-logs/aws.credential-access.ec2-get-password-data.json
new file mode 100644
index 000000000..5b71706ca
--- /dev/null
+++ b/docs/detonation-logs/aws.credential-access.ec2-get-password-data.json
@@ -0,0 +1,1582 @@
+[
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:751353041310:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: fqhg8CzmasrUP43_LGsSmLVAAoKKY1CzQD3yqWpWiuZGOcVf2lhbhrrgsH8zy44fLcyyL6AsNcXA2GMJ3dl_2A8-mR5qE3oPDbM8k51n_qGm4fs4CdzuYK01dKPn4abyT2RXgAphwvURW0X-7R1OFTrWQnRH_W-pWiKQMJ756fS410A5yi504958O5VwFgOoxzBqwSFmvPt5WRVqBpuxTA_CXq5ogP2bjZzdHV8g_FnbHOARLP282lJjyBlNgP09SyB40bDDBxwDhYm_57waaVMA1Ww-_SlUt02HzVBZp7t7ta8udTCpZsoNuZyhUPmgli8z1pwkKVbsVe1cEhokOPPDm3p5ymcSZ4o5mwtEk18p46uE1SHVZSUv23Pjv68qZe0Sj_-rLKzqTi4Mhje-h5a7zRf8i3P-LGTGJHUxH4y5C2e659kdVhTaUJv8maLCMDiL7cUX2Px3xCyiWvtAnA_NIpmXEboFADuVzUsVVl-sTdCTT1rZn_-ts_xbdrqSmzvGKsDiTB1vJF3UwFjRuSRVSPD0g_U_rkZfqy0j-JEUU3DEIsh4SIWsrgDNuPzv0KQ",
+ "eventCategory": "Management",
+ "eventID": "450230d4-b39e-4a18-a6a0-d07a6e2105cb",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b20c2df5-71d5-441e-84c8-b424f1c78ffb",
+ "requestParameters": {
+ "instanceId": "i-i2jnm5swa59p4fxg"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: vI3cDVgKJvmlMzN8rT24DeQOh9di8wn6vWRhl7MKZYEHwshGC7bY0RXqvxRIFTQNaddFRU7snsmuRbDWCJhQ5b_E7tu5T614NYSVWVA-voW06n-BOfulZtczb3PyUhqbGpg9vjiiY-OrpAWZ6F025pam2NYdRGvNYxLxrRIJcc-Pgy6AOKrgqoBuIYS9KWg1xhnVaU_MwL79F31AiLn_2xPKnBmuxw0Gbf66kSPQi4HBkBT7hpsCLz9iyrVLOOGUV8yKQM95ZzvoGL0hxfMCiLL1PxQAkAECTuhYIMseN7dDrkwqyy5CUjQmKCmKxJvwskEp5WZogiQjtkk44pe-ODMesOjJx5jGfWhpbpXS505jUD5noJpQtzF3HTuCecAdsUezzqJMy7xfgKfZwM_0S5vxuP71ZdLGUIyI8dXT8yyGvVdennbqgGnmSlgR5236yhxAsYtX7mRP5-pNjVGsPvz0YOA0MYzyQHTAmHFqsMK3efkeySF4DqsrvFp8E-_4zQuOy8xcsl2Lt0EXibfAqUOwRxh1n0TZ5hJ3_KgirWcFGhfAEDlgK_btXALP9uWvgAA",
+ "eventCategory": "Management",
+ "eventID": "560bcc37-36b9-43f4-8447-2bab2d7cd7cf",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b25e0f2a-0a98-4b8f-8893-fce249e28a83",
+ "requestParameters": {
+ "instanceId": "i-aq9pmsueolxr81r5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: MvyJ8E7JRlJ8qrNOLCxvOgNHlEoVtWB6q7tZDACABTX_jUO8rHfwdhptvxZXjjrECMntJyC781EvTNGomFMVEsi7X7m3WYsdVSCTV3_b6vvnO73HHYOPDJA67Uu860JC_nvDqubgE8tVYaEQfIv2tkoLOa_giq3CnHTnT8OTem2osy1fvZ9ZoqtOm8L_yt0o_Xa4gm1q4uhq_9OjanBPHK1Vi1EKlOSAu6MMD6_QHoby_vZMs8zBqXHZMMZKh7ENCR-RVW-nutH3WyZ9kUyKK9ZoLCD4RKh7OR9xuvs6b5p-SvvIhC9W4SYFhSUcbqXr32IDoY0T6IaaYY_I-ZBxJJv8sDWP4FFx-Zgnj6jkJwbpJL3zrDF5t1uYx_-d7dl7fXztnlaSFchdmdBtu2gWlakT8vwWFKIAWFlP9EzDVsooEN8jBT9CT7XasorGDrjMkoXUL74wSQ8bsbZuXazBBT3xK2cfXoCZQ_YYW1ITOif_RAHKzn78evQrg917qNktjM09reyr9xYP34rMbKlabtbZwx0KKP8xtSU_teXhTMRQ5UydA9NQMCCGvrjd2-TWdaM",
+ "eventCategory": "Management",
+ "eventID": "76a3f52e-5c4c-4a62-818d-a2bc8bddc2e6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "f48594da-0a0d-4e9c-a641-0f9dd4fec8fc",
+ "requestParameters": {
+ "instanceId": "i-x7jwh6qy39glvq1r"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: ex0NeuPRe8xwBXWSB-bMPAP_IMRYGNBpDD0SaeD3RV2Y-0w39P_2oAFjmi-r8BNT69RYOJ-hza1FZen-cwGssTUW5prEYz1Nf1c1nmupsXlbIS9oGexXcLlk0eftjhtp1oW5mxnhE0QYe_1VvGLde6mv5FsTKvO8_kcW0HuKi47kTgBB1RlLnjXrBQ9D6bUqmpyJzPv-9R651JtTJ0dggDS7lEN0vagJI1y7MdhgUnr63ZFDwwNN9tHzZS_jzC232IH5Nh-4AFSvPYYcHP75ahrQBARAriMWycPyvQZypwEwR5IeM9pDwnVPbhQZnk07KV67c-B5Y_VIv0rmaSpCsf0HEwW5kCP1QV6CZIpnCTku1Ghwt-nCouj_Yv62oJg3j8xTBMgivye_UC_mv2zDF9vCcsWQ7F2-uit-rbKyzIKC72UBP5DAchNYeHhBShD9heqssLqgNrpO_1nTzA_bUdxWiVCI20QRazEobNiVm9vbdDB_LD9mLpvfQsT8k8qWT1_E7yaR9_1ZVcW13BZ2zDD66YBIIiKD3bVixCibVF1VuktZcM0DMHYquWHyJyqN_o5L",
+ "eventCategory": "Management",
+ "eventID": "0c7f6148-c337-4e49-8df5-cb333c6fb7d6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "4fa792f1-a997-4739-a79c-215983a2cce7",
+ "requestParameters": {
+ "instanceId": "i-vgu76uxucxlpp04e"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: sy7SXIS8cR0ggyin7T9E00rq0UiBYf3eugsTZ-Ogk79Vr7gPWzUxv5S1-6UGbgDluSzgK5qh5bj2VmJiWaAwIlMfWlkTKGSQkcf5gz5wOK7xVi-QjG_ZZMg6JlpeQlf42ElPwTHSlsjHU7OIRcFmIpSy15svaRMouoxwxKfdDF7FtruzOBMlbwFSS9EjcO9BS_SHVSsJte6TxSYwyrR4tNVke6T_P4rBeL7ztd7h_W5CInqYvgQV8ivmmB3ZCKHmui3eS5NaWAlVPYiPUIv5h2VUjqzEt3HsSHpjdQQuXOoSy3lQuqGNgSBwMuemwkT1hcpmSyUWkdKbIuVMHGKvPx5fh5SBkcIUEn4Zijtlo6qWX9q_A739rbuQs9Tek1i1N5xO5f0ab_sepQdNEQZexx8lT8H8lOwjPZNrcUuppHp2o3sbVJgMn-75snd68YVWP3u0-QuNiQ-TyBYuu-RCVOct_7dOhDEwIixzMKgX-xbSm0AMICAT5saVXRwwrL1PB63t2nq52lWHstgzS5hapqr8GBhT6VHgjiPgadckQde1p8cN476Y_3nt4vbjTlixyHQ",
+ "eventCategory": "Management",
+ "eventID": "4bf1ca5d-42ba-4e95-a493-9cdeefb58b87",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8efcec3b-8c76-4b8b-acc4-884b7040aa69",
+ "requestParameters": {
+ "instanceId": "i-ozzfav7qglzosg49"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: w4BeNvjyqgZy54yIPW-Fi1znuurlnMJBtXRoh5NdfY7bT8fFvjHYaLQ6EUXTTjnEMB4Gv5bwqpgFzM5lzvWFweErUq6l2N5nvU_e2hVJgAhQyDII36qsr2Jj_XeFX6UoQb3pimMn6T4q4oDxP7FtsIt8uIrAVxc5ECs_3JbDgshdjVHf0yz0VgZprSF-2bbppKqgD_B1BkIEe587cUlDyrH6XszhIww2-k6Jj82FrDBowlBEJwREI9VnJdFWFO5y1NInklHF_bBFkyat2Nr5aXpwDUMEPY6dY5Ggv2I2ggujHKbtkXRF4AbxCN1SfyX3jLS98ewC3mZaVymcADN1KRghMytqsxMfjAeOOi0OzUrLZl5YcWCN9cH1Sca2KU5ZISpwGQSETyCD--KM5_J8mHQS_ijmTXUXxCpdjgUZRo3dn4Krll1H18IlRMtovF5KqR4HpPL4bVX1l6LL8e2gs3x_NtQys8aWA1aybnT6dWP12eb7P_j6YKziDMfp6zx1smQjHlPwxRg3I7w84EcpCXdNIpqVSxOo-PrmpH5u_0rfkHXEzjfYX5vbJ-dt8BeDOfA",
+ "eventCategory": "Management",
+ "eventID": "7466f497-7987-44d9-aeb1-5034d02c9f87",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9da09dec-5398-47cf-a763-ebab997f543f",
+ "requestParameters": {
+ "instanceId": "i-t3wz01wvchd1i3ji"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: D8EVYsR5r16Iqx5IHuCEN7fghFzk7W_8XbwrZzPIH0vwpygIn9k9LSeOsmINlF6dZU9r9rWXxbpxmmnwr39FJS7UAyqkNvN-nMQc-ySOHrTZobFllAx1vwRNnYVUwu_AMKV6ov2s-969CBXV4OImXntzJmBLx_lsvb27jey_rQLzS-1H8hpXoQl2lKsBr4NZNk7xUEpPs_5a6V-ZkPBA_UoTXn6xIBmjC5y_gNwvWeP-OpTa6hmG-XKsPGrr5zP-b07P0gkc6k9ykR7e2MTQ40zqwfSwmXAkLjL8mR5HeGoP9DSkgcfYhlb4sK7-97tSBlMcZhYd9KEMRkQqK_N1BHS6lMGO0eikQKAyjVaQvld_05HXsIE5R0813DC8PhFZK1GxFMh96h_nY8c3Bl_IXs1DraSgo2EPF5sx7HnY6alpk_3_1frHmTIaVSuHdDKPkQ2_5pkkdCV_nQgjU9tKhFYIfL1fETZL21uNtlKLSE1UBQlbw6b5LSpy5tROI5Kfq-0Da6ynh_Aqvmbdxi-oCVaf2T1SW_G6DFjUWU0xDXSa2PbKTwIxFUJlVebyoF2zE1M",
+ "eventCategory": "Management",
+ "eventID": "8d006dac-fa19-4599-a336-d3a230b535f6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "1cfed956-fcee-4f9c-bb7d-b1d512e97044",
+ "requestParameters": {
+ "instanceId": "i-ny0ek1fbv2k4irgb"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: TVZFjm-mt3TE7psRWv4wzimRYmROaE6RK6a-blk1M1QXc5J1ZqaOWP4_UilTumdJ8Uni_NqKwfRUhKpwB4zcMHYAZmYsDx9D0jaMwKBsbWQPmSLn7nh3MVpsN-pmsT4cp2LC3lUc_ql7wqWDeipnbHH2UCZxBhlun8Otv4vpF5YrkraD-M9_AROMNwYMfMbe4mfamHx7kk1Qa2rjEqGuyALHTp726hJAMv00n3Wng4K1eUJLgGITGVh592lKycF8NUD5Sty5-ELzaql25MKFIcYypw91I3rI1_uhf7KGbtGPl5mXu_ukfa7gAUZjaFmJT0AfpCjVgjsji5oM0QWqqqJvbBdTwz48kAc86JSKl-A2w--D0xaEhqRe23mGGvdPemXB4PHggmhaueeVEPL5bV74aDc9fHQhGG2NiCOa3QZPR3QPg69ddwFVyThf3tjLIoZ_e4T7OWlGBZjU8BkQ5rPdwPbrvwpsNJjcUzP7OLaxnviUFUhRSBwhZqiI035mI1kqtE0vxzbXNwS9j5RIfjv92BrvSFwNMZb8agK1Q3siL3wadOqNGYOkgyLkVk40kRdy",
+ "eventCategory": "Management",
+ "eventID": "b1f34826-4e8b-4527-b17a-ef9cb24ac379",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "195c9d73-fd82-4ec4-a72c-2ead0602b322",
+ "requestParameters": {
+ "instanceId": "i-p9e9ocan02xrzude"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 4DDnYxe39i3VZP2qCvPfBcHUBBBMcdYYSyzhljgHjyGL6996txALAExpdhvWyVLfDOat8FRPllNzoixRpTCZWRlo35Dg_FnqfL1IF29WP49Wy1973IXWcqE4uXpt_F3IF8GsCnoKQns0KAyo9fLObSFnt67AwSxAgzsi6McdREq8cIg0mdIjCK2nhBc6v1VKCHuLau_QUzLh5qI5BgRDHK6FSggymuCyI3uUsNnwRfR6VT4RCN5EoT5-_aedTBlLwe81MCo3azLKWwsv6JtQpL5jfxoy-4Txygq7KNPMLxX7_HHkLPYhWy5x4CKZK-ZXqu9biSwcUJrkNIpCqUmgLV1rDtKoaePONy5Xo-TunhCkN8s796aU3ij815Hsv0OVXk62NWdg_pcnnIfon-YWM5empS0xLUqyBeHEawYAKPO3grDGlMxVfovIV-uFpmR9KdOsW3D5HAkq4FNi_2DGF6IYSY-VRxYxv40P9TBovXH7BTAniJNA1A6ilwzseqiBdtKmHc_2EoOkBTrQtIufDmd9PyE0aP2vCfVOz0pemh2ZPshJjf_8l5tHYwGBlJgpumo",
+ "eventCategory": "Management",
+ "eventID": "eec493d8-1181-4ed7-9d29-1de1e87ee98b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "c029fc7d-b85b-42ff-8351-31aaf6c1225e",
+ "requestParameters": {
+ "instanceId": "i-yjhbbydwe3p29swd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: JJqi-rC3zfBkVioszXW11DKpcL755AUVY2OJmrbbbxxXyAa3BGd_pEfBQfxB7eAHuDH7CPVmOf4EG1MkQKk06tnOefWSBDhlNi3BYpuA8-6jWQsKOhwShJKF6ZNVSQ6ivlccg3o7A5IShFiKJVQYGTQZ1Rc-PA8hPANFEsT5Gl2Ag1jPol68k8oO_8E4_cHKqQjvZTZJEoMF2tZwAXfrjU-EX2IY-Y9l-ONimiyuPnxchC8HSYViBz4POEKN0gZhid89D3IWLo2k70BQDl6j2L2zIr6yMVsj2v-Wc8saEaiExv7QK4NkT1l2MEEDKANkwVWarRlYlI3ku7f1H8yTqMXf9WPcZ7DfcPXoR9ich6AFDVD8J39S6kgSc9P6cq_V2yssXqcSJxwQqBkbUrPRDMlpj0VgA9qU-Sx81uWiQQTJeK4X9wYHi2RfV6AkHCeIOi5viQVR4xNGVird74cvtcBu1SzMccOkyD0HCBZ9CcnyQ7BohNuzNC17wm0AekIdxH0pZAM3Rb2OAdzXK9zE37qc-Z2F8tGPGsCNJVwP2LSQetbu6tfhJBcQpfFi3WD9Wq8",
+ "eventCategory": "Management",
+ "eventID": "45b5d41d-4732-49d2-aa3b-8b87a1c4d8e1",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "efb7d185-ec2d-431e-b845-52b0ec9f4bc4",
+ "requestParameters": {
+ "instanceId": "i-xjos2kzunblws25p"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: Fy68QK4IDJ5WWq9w6ufOr8E_KHl6yFBFh7qzkE1p4XKkMGsrvTtGPoFbKsz07ZU4sEXIqlr1_TYeFkwdclvyYKs4beqAEnihMn5cbQHdDT6peeTZvDoRvdlJ4K4MAJFsNujyWcC5DMyiCOBwWnn-I2iFxQuRcu6GovxT-uaFg4Sf25imlhuFrUxZzBxBP17gEwNx-64eP-_67QBBcrkJfxs54PTZSqkbAFB-jbJ0UqRE2wCYuVHRvWKlOX6amkuxdKOcGlHx3XJku8BccJZNBkGNBTIvkc3lMysOCeB5HfJDwfIUIuLwCk1hB3tm8NiWmtNnY6NcSGDZi1htncI4dzNGZHfPEHhJBXBzUCJcCfpeKPUNB4MATcztCL_jwfqP24GTqjNsbPsusrVOoBjYoCglljWwr8k2ltTj-bDR-tbLjRm-wkTF_25Gg8v_FvHEvE9inR43IEPtRdw6ULlwVIE-qLaYXhqPJmPrBQyhVCQLsUcIsMlqd6v9NVjIJxXRvmR5KcLJctOTykYZXOwF7Vl4fGNJT9eR11nzkVTxfTZaPwv--34eB6rZoJqJEG4IbyDJ",
+ "eventCategory": "Management",
+ "eventID": "c07943fa-79ed-4f9a-9bde-b0eefcece09a",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8408971c-2a61-40da-8455-3b5cb32e3b6d",
+ "requestParameters": {
+ "instanceId": "i-gjzajayb7tgntj7f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: HU9P8R2PArR2Z01od-GTeTwJ9fw_N8JCXcNkhA6psJfqSID4sa98rv3UapLRUBuHqmpY_xlLKyLSAx53FDmHmFpcVxr8_7U9ZF0cpa4BNP4o90TZx1aI0rRYJU_zZ0NapeIHGfdZwFFnCV00oJk962hfwW-ufpsJ6ZNBczV-5UD_8yyMUlPA4R5K7v9Wz21OZxLZwrKEgdj5XXdHpbpojqpCl_dgEyhGa8Jddoz8dj1cZcuAmv8BNizrUE3ro7A6wU2NSxVT0o8J105EVaWz6IXuucVfDHhK4uApI7OSTMmJkT6D5K1Vxnbgk57-Qk7HOPOBbIXQhqt7Rc4-d37Bour4o71o72KFl2KYKNdQP2qWtK9uAHk8zaxW2vhjwtG4P9mLH_UEkjmZgVlqTxbyCrY7ErAxJ0Qv37oYOQ0sZO_02fY9haXSXMedpzIbw_EUdSsxw9bPRSQcoeplA6CidjS366eiouQJOOB-iHhut2_70izsKLl0-uSpJO-MKWE9mwYGgVphX9UlhpBUVTrcWBUv3Rx8HE7IfO53Pki4WIsEtKS8wVJ25erdcnWSYMenJj4",
+ "eventCategory": "Management",
+ "eventID": "cf7fcd24-2c91-4836-b460-d01f837d5db4",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8c5edf57-8692-4d9c-95b2-fae37791fd31",
+ "requestParameters": {
+ "instanceId": "i-awmjjnq5sr691kgp"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: glknbRaK-8bXUVYKsSXr-q5ysgD55hn_KTwTFbjiPl-hGg2ErcgTWmFFDaGHOT23Qbn2I2Cwz07cgPqRLkJsh1mM3TAlZ1yIdjjeuv9cT1eX6tMqem1qrm8qRbWxi97j9KBGu2yHsXm7yHi19qM_ddWyutsm-NXqG2e13FsP8KxPrtQkxXQi4bvZ30HHpv4hqS6-06bUEbTJFbU9-PBuCowkQDXJs7EPuR5YhlXBWqoahCNXc6V_bOKz6rR1sJOD0nZvbIqPompZur2cyAItV0kfQl4SH6rzvkk2T2jVnDz5NU-xnvUJzN3nnsc3LXjOUsBfHu4_JQPfonyRqewfQ06vhnU3gzS_0TkT_VbEq-1PBmtTRXFGEQ9nPDMQuserPuhSn8P8o5dj9uwBaLR-hZPqN64-R1mUyWuQUh3RtkwI5MqEQFu-KSmZn3TDovoqZu9uayFJaMUzdyzVqpAyB5eg9ycClfZFgYchEACGkISXj1k5iyWUWr8lnVrPhXv5I3ERGvOP4gQl2VQS0SZx30DT5ReGWKxWwsElmxJeeyu7ZjsN0W-bNPJ9gBf23hRTrzM6",
+ "eventCategory": "Management",
+ "eventID": "ec79b60b-6bc0-4a75-bf79-45a42db477df",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9ab8de47-15e2-4e13-9a14-8eab5c92b916",
+ "requestParameters": {
+ "instanceId": "i-nzv1jjfn03nnujti"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: gEXNHHFUYw8y_MNHkGP-98XPXSVvkMEu28ZFGcP89GKZ1im05s9P4sCpRKtajVvAJzfILfA2xEmN6aR06VV6qdmstPr95kfAhvHsY0yeIjJHz1pXj_ZNO0Q9SiV-ZaAcjH9LK5Pl8muiUU2j5onTFYWbDW1IqS-myHOBQFcs3jUEvCxbdnSHwxmeVLSrHkZEbg8cWkelKkcyJokNcad7MWVbmfJNeHLaizgZfyF69MLAnHTAlC0VaxNd8m7UbkZYydMATTAMNdrvUxRhZ0LOq8yecg47kGfUUM8K-uZk0qzunzC9IZ1EGHHAQjtI9VEf9HskSA6ibh8j4BhfBguxnf6USGHIq7R9Igt5bmZ1fq-COIzGblYOecicHfilaPeEevmzbT7vcW-3dgRPK-zr04-H_0o7wyGU34mZlmfV823uG4oM0nB4JuPNd7Shflry7deP_3nvj-Aqy73d7GPicewhRVEKYDeFao0c5EevJemsepKqc6GDe-Tc6GKL5UBG8payl624Eq4NGHZa4lKuMC4t1Y3dHs1bsxu5QU2jLeVXArdLBstATsRblT-CXKDw_Is",
+ "eventCategory": "Management",
+ "eventID": "f2d94374-18b0-4479-8585-d24f7a58e3de",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "fec853a7-4df0-4410-8d1b-d86e0cf20bd8",
+ "requestParameters": {
+ "instanceId": "i-gz7w6xbdutwhlvb2"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: nKaaIO7OhRx8_gh9WeWoXY6JtQq4rPq82-RZz4uYdRG1pdkeJx75OQ_4cv9JyQYlF4vgjg1TeP6vSXcI14XZYu1DA0hgqnYqyqKFFPCQglgRqfKLTphNoCprin_-yalFcBYAhOyfy7thU8TNTKX26Eg1D9JRE8kpcomB9ov9PUQS1v_doljaouQaQXBrlh8YD5cWbHXlkf0Ahi1axtD4qCsz9stzfYLtxwr-KWXKPgwQA36-8j-vzgFUAFCvDMSOS_7IRUh662UyfPDRnuJeigPHeHdNSvdr9F9TH-Cht9GaFF_kFBKWkr-RkL0DYAOFKw2_T1g24bk_j7JYINyHIhS5MDihvlmKaAHH0Yoz_nrOI4gbdL60CH9Bhw8E-7t7cI7_Jqplqey3rTvzxMNVdpxtk3aku0as4ZAEM_LPElxfs8ZZmfY3-NuanGt0MFcPYxDmbaNFRhOk3-m0esaVTf8OsHCbeXE2erqZUWrgh3-96jx6t9hSQwdRsaqvzImXiX87EjO0-zKxmZlT98xRprqw_Lr-hdC3IEVh6wY8YFYjFOh5I4RcTO-bRkxZgH1Qfvw",
+ "eventCategory": "Management",
+ "eventID": "396d8a62-46e7-472f-b046-5c41a75ae61b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "d4fb9e08-37ef-4cc0-9d01-0dc7c694e554",
+ "requestParameters": {
+ "instanceId": "i-bf83vbyeoo24svtd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: nH73aM11PlKi-yyEWJlllJTikqqhwda0HamvlmHPY53dt3gaTJVbwGB1zVfdkb7oqY9N_9d-v9oqHixcCcMcOYBwBQBnJ-rVW4FxsjBI0pPSVYoTYOagpkUT7ceRLKyXWDgR70ylwVOyaKu7AJsCvSy_A2_bi2W8BirGWL3H7-Nyeu3LaKK9lL6olrz6qla9_veiB75Cc516dE-gsAKNm4jd_N1pC-WCMApGlCIYsqrv0j2gSKjP2SNlDaINPL35dcSA8syYNt36SwsgYVo3DUPCrad2W1fQ4R8Wim_GPLJwPYueFvttYNWEiPBj7sd_Zb5yLvPKRCtrxu-eYbYue1BWthbbxVoKfecgieELohPNj0MtdEjKY1kAyMnrho2QyOjdGpuX4C4gTeCytuDrunH5bDRKRtlAGPhRCsIfGFsrq-fTS_FhgDXjMc04NcJr4AZ9j6yGf4u6vMosWFi6Wg70n-W0AluNUBNHVcnXO4mvG09tBNLOmx66LwCs90A5_G2ll6_Py2vP3pXoVXUdG4rpJJhMwmVH7FYE2fA0fgV7Gr-f_yjzL-CiMiB3UNWlv2oX",
+ "eventCategory": "Management",
+ "eventID": "71ce0541-113b-4b74-bbc7-5ef364318787",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "12c55ab8-8de3-4d11-9cb5-771de13610b0",
+ "requestParameters": {
+ "instanceId": "i-qsdkik5t0ihwxj43"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 1doSO4EeN8VCyyAelPL_ne9oDrtREHT9ciU3ZTtSs1As1v3mEHCVpeUarJxr13AWmsoIt2_yTzT1NE4Ur1yK9S0V-B6omwpgEEnGk2ZPzhrkCqSRA1flcMwIKXKchWoDB4--TAgAfHyUem-MO9IRc4RIJniE-BNY-kK_GOR5BR7y9yTy83SMANMBHFgY_zDY3Qlco5B0jmuXRnhSJXslqpL7KlXdxTLK-j1gOFIrWpZll3E8WQdCw3Sth3Btvxgj98rNDa2vfqGOxIacu5PDLDvvDTD9Dad5ceUN5g5sYwbTZKX4nbRm7UC9kp_hN_heYILrJR68VF2HTGqOl04-T-aygq12V-WB82BR_oXAuZyOrTHoUw8H42WSiYb_VP_Se3xoS6QEGsK165umOB8-ruZXG0J9M4EZgptI7b1krm2VbO5wur3JTjY6m4kiNT0baMvI_2CGhP5hduu06rllFf4Q0hAqqvHC1wsqoEUe0A36xOj9RcKL_rxQ_XR8gnLd_l2-9OCmGk3usYbhZeb1jJboZclzyYXoCCfx-nJvGlICE9OP_sutVFynLyT9QG_-dv8",
+ "eventCategory": "Management",
+ "eventID": "8aa69c7f-117d-4010-b7ea-009cd1f4f5de",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "9f89f20e-ca42-4d5b-afec-fa2da8f55fd3",
+ "requestParameters": {
+ "instanceId": "i-jcoba14jc619sc9k"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: RKjtBacdHpynSBYD2rFJAJyGRi896ep_wzschdrXXGuhTWwH1op5v_VJ1oUbV33AF8uOXxrkx7rjRJIBPku6lhMASNBInXuS-tBXw9GRd3fB4Yh6u0kxQZP95-RRCNoRGc21BTmVEegMgNPhXMG7gxA1HUJVcjVAwAbMUzBv1VEvYhHPsOm-SDbCR_vlJbJC3dtDLetZuxLoTTrcKhMMU3pazWx_MCTEV5Fn13SJMV13Hmoi_x2JrCUfAVZdO4bDePX_kyk2H9XuBmiQAg-h5Ba3HvkUQP-wBNC9cQ_Ji37Vx8oBQO2SxdqXiLHbx4W3AaI4ag5iDuOURa12a_xoUAUrP7RB2iKgr59mpC6IK8JUtDwRlv5jKYwfQMC3TtvvDtTmL3Ljxoz07_fgCECADIANklTbTKnfByZZ8XWzURr5mGxHAQC2GrDHaoJpt84x-k-9-AGNEVbOFycJJsDOfUSTQQvKIBq2CIos8bKwnZJQCVOYCwgHDqmhXyS8KaQw4OWQleQKMvfp8aZ3Q9gFxlSJbo00UqiAIHWVOUl5xhL0reKKGrL5ve6mBnQAVPY93get",
+ "eventCategory": "Management",
+ "eventID": "9fa0f6c4-dafd-46e6-af33-264c70b79add",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "894f1727-ca4f-4376-8313-51b8e5632526",
+ "requestParameters": {
+ "instanceId": "i-yqe6th46jb26scec"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: PYyJbyooe4ak6qMgask39P0gOiQ5cBbfHnbhq03IU21H-MyHGDAfqvf1w1AR8zTvfPeYrt-zWX8A_TTHbJHBMOEBBMVtdxHIVHnIPbOsU36JnpqjT4T1uarOliX6ViEkBvKm9wtPKFj4XK6xv49tdy8WomHqDsukCmOldH5KOIBDFDdLZvvsPotW_GA-HKR-FjVoRi7l7HCHDad5M8ruK1g8a8nUBEIKqbOexvpZiyJF9yO0I05X7nR81yYvKDAN4Y0n_VKUlMyS8nLYTWJh5RCzweie8uT3unJDHS24dvk51sEkrmQvh3Kpw5EADofCBWiTabx6zdoPFd81WpfOayEli1n2FI5zzeROdvIbiNlvyKjVTmcgsXYphfjbgOLeSU6bMF68_SPURL1Ua23ZkwkebQRav40J4rrnFgVWHuZbvAeULyWDEDDx_10jB7leB9Z6yAVlBqL8RNb-xsAKnk5dmvqsCsT5P53m9kC_g4389oV0LUahYu9c9fIkrj_3DJ3mZztALQl7l6fIkT_npQfg-QqfZx--t2sQW1gfIKQPXkxmsdQhdvXWik74wd6t_N4",
+ "eventCategory": "Management",
+ "eventID": "b8a37387-6dd5-49a1-b55a-a491a0bb85b0",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8fc4e269-7b8e-4123-92a4-0821283c590f",
+ "requestParameters": {
+ "instanceId": "i-qivk0oox9ac6grv7"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: FvDsnEXWiuIoaTAltof47EUVg-dVIlwI4emrpGlLM9ElSpuAjv-7LPppbkJa9spadx-PCqvteb8TjhsI6AiunSA0tCPufgOiRyIioV_HMK1Bpj5ieQYhUIBJ-xUJx3BlwDu3aGPWRyBJNe0J3aqqaPFm5uIA6OmeQol_Qi_LCbYkcJUbGuWqxg85kE4cP42Ev9_dZW3xvUQgbvEKZGVbeVxQJQTIDChBXifHRxOtUaykG196i6lg6xR396OSGs4mfq-bdxNKYAKssZaOvPOqqf-43f260zDUmI5OohcgrPSfNBrGIeXzMUChBd2fNzIXA8-8InOL1OqD55FB_cDL2rhx3hqdCB1tOhxjUNfZTAAsfOeD3QurNUew8oEUP2LE4x74vtWeSR5JiZMWGFPWxoX9cycXnJ9enLY5JePWDEmkF0toZ0aFzAYha08QhpXD1YEVWu9C8ZkW4aa998ZX6C2nP7GInZtN8CBM4BlSi5NAHYpZGUl_PH7YWlLGq54JOMh-JbQ_FiGms16beBvJqsJyS5CGvYoEEnjtTEYDrqxULD0UhxUN8LsJmYOZxw9FrOI",
+ "eventCategory": "Management",
+ "eventID": "c1e66f32-ddf1-4e85-9a5c-9b11b09e2d06",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "98a10bb3-07db-4576-9edf-73d8d2e37460",
+ "requestParameters": {
+ "instanceId": "i-n2d16wuklpqfdsr9"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: aTrFQVq-TlNHs1qYAG80Y-kgjzT_ie6zqlFDxIfbXqvyqCsVEmFK6CieWIHOBEhcMEsDfmEpudkmch0OKIeZHgCYKrzIzp1aoHfAUFeUvUaAbq4SZLlLjeCOpOrFgCLROeGzk2w55VAxsC0JdhAtI-IoWOsE3CjBDJ2oJO8KpFy1nLVpUA1VU_sJ0cJudc2a381zduNnnKJufvt_xr19glMtN__HERdIWJguV9NinCtviEFOa4-Ipzj7Qd6zuQ_rYAEmM9jkAuEdOfl-1fBJ1rouciEwao3Rvpz8mMV3bkzVEb8pTKIn5X5vp57v7Xapb8ZP08UpGeswPz1u5ybB__EgmHcW8JS0Y_iWybVslZTruLarO5JbkIlv9hE7viVbyfvXmnbrnlRQHYuyS3Rt6aYmvdwqqMjd918qvpI1rWeILu2URb5M4dK1vNA-9AxvAUMZSGViaJxncd0rcnDPNNUaSQX8bjetu15TeLS1G0N4fdqD-lcY0Dc_NgjNwYTcg8uXXXLLUKgJ1lKpkeEeSXNImo2X_DYTwCj9xkLPZ2qlckqNeLokUqdWl6sDZpHAyPY",
+ "eventCategory": "Management",
+ "eventID": "1078f3f3-e72f-42bd-a0c8-7f321b5fce0b",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "0bac5486-48ac-4ed5-b3a9-c094ee3a7304",
+ "requestParameters": {
+ "instanceId": "i-bykprumj5lnfe4oh"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: IgBTWD-QgF4jCm2kuMMIXUGemfMfC7Hd7-UTvXmtYd4amt7MbUaC1FT4ne5XMwGaOq59YgFlane0ICbGs5Fy_zp37XvFqEVbrlu16lxiqVhgghuL6bH2jfBuuqWOGrfFNDbgXSNhZNHhN8pQ4Zhg_bHJi1jcx2XYlnN-BKy2_5vRT68-6xVl-D7MpyCh-J4PeuiyIJDwSWgT3UHzfMapPfMVRUetYSgGeub_sxMswfiR1dxD3PaUgubNNzjiTIeoElqxdELcDE_1V0RC2hKxuq1-kj5hXl4_hEzmuicGynwhkpXpP8W6u8xq-S2v-of5N5uBeTafwaDAtGIFprBp8smR6X3OeyB72nZVeyyaeIlL3uD2WkhX0da21OOGYRDTwbRBazStsugyvY4MnJWu5PCk0q6XHptm6qyL8nuUfZUkp-NQp35CKx9HaBsuLdvFe8dpGIwy5DlUes3T4IqITcZa2tA45xfeGAqo93G0LRZgQ3PMaJvTqW5hgN_6XXvt1_P3B9S6SCVMyR7Gu5mdG6fjbDKtIbWfeFz17Wd0fDSHfoaT1plivwSgZrkgnioCFQ",
+ "eventCategory": "Management",
+ "eventID": "735eae92-16e3-469c-b454-4507c47aadcb",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b195f9db-6777-41a9-8797-2df84ebb07dc",
+ "requestParameters": {
+ "instanceId": "i-dcw41yq2wp8h1d58"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 3Whk6y4yZdhA0PAEz88EFn9PqfvCo1S8surcpaXE6332jpdvRht6VTm3WWdOCkQ2mUq-zXlY1GimOJW6TJC9SkPtlBUAH5KxOFAQPMymWzNgU606sUYH41P7t63dp_F9_pVVO3gj22FW0qv1ZKHIIayypQ33bHS8lT3FQgqZzy6mntCT6OVSYJ5KiZEMmPiMLv8nVcGPoKHQErgjMcXWtkSuuI4tq2xhQBjdJlWgHDNv1Wn0M1RYy7_WKYkgCsoGlWSb10XMexgwl1dpmhODFZMA-hBbQZC_S9tKE3sTsuIppvqIW_SFY9WLdeI0_GRtjBt9hHNKBFr_V4GmNFapSDSMjt-w_OeWAC4MqmeGR_adqtMSIiamRHXtHfoEK-0M3c_HCIAl14XBPg4pKnCZiCutGk6ak0AVJmjz7iBWtkduRfBy1yk_7iXypjmLkUC2dCGPe3NYIm-hYMrlbqpFnZmyQf54by9MLj_I2h2Rjf0RXoRhFnwURyHtO_D9-jsWNfO-qgq0VKCg1gqFv5NUYfUQKb8CNALzxCCEjQxrgT-nkftGRxBNpLSs7CEwkyqcPg",
+ "eventCategory": "Management",
+ "eventID": "73f28e1e-7fe0-40d2-94a4-cf42930e8b0a",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "de6fa24d-5054-4525-abe3-a210b4993b1a",
+ "requestParameters": {
+ "instanceId": "i-okja04dckx6yg2uq"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: XsZyApBJAXhkSm43yz8Osvyv013N5Y2d1rnNlbOkkajw43v_w0IpDACr9S1GlpC_FLYISw3CunlllRJn4Q5GZJX-sS88rpWFIWTksDCKwb_a0hpbcNTqERnL18B_VOC-aOfl1QyYqmYDcGKISJl8jp5_uUMV5A-IFYEMGskUfbxpQE1rtIWCrXGPPnhWQn9gHA5eBhZo63LTdhMHKJenjj592AhJ__LaXaxeg-iW5p9V96uP9nTGiVx529QZlVPNWVmL0w6E5Ub2r7IKYQkE3SXYa6bs6IhquB4MAt8JMnO0YaPRnEUxVOdBPa4isE0Bgl1C5-8NQZ3uSPQiu9o-udWYVKbx0xk-jlLz4xXbAUsCZnGAsgFf7WOPg2icEvol6a5a-cAx3OQd_-BAI6rD4OdquHxo5ddPIzGsB8rDfGfrh7h4-JiAxTWVJ7ZlFC7sHcu57SSceE05R7ez9x9weIbeqmVz5TFLYnA6i4jyI0cRAaZYZ4PWG3A_dH6K7caomOrHVcayeV1H88kfma5DprPaMyo-hIAewgXrmSQsIou95sA3P8WLBtUXI4rqUC6vevg",
+ "eventCategory": "Management",
+ "eventID": "a8d8ee73-2a80-4d03-ae6c-42e2964a5e43",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "a14a2932-ca5b-4aaf-89fc-c4d66708fc61",
+ "requestParameters": {
+ "instanceId": "i-8hy3natzpp4ef7ri"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: SkMlzz8Ec9AftDBkf302YkfKSCGS5zriIUZMQj4UAaXyX5B74Fg1f2f_IgZ6EdUNcmVr9A9OzxE9WmNikuJyWNRCX5Mjy_HRBg6VrxjWuSoUPBll0nWbIww-1NehYMVHla3eLDBA2KUsuE0KJ0ZAa2Cmy1LsT6kmbQ3PHK0a2INProm2fWi_k33oJXOTapMy5V4eVKIIWsCxWrFHO7o1E72cORK789yeKavJsP86tYGHdzssYRpnNYK-4y_YEphKj3Kc5NeOs2thecEMXiLPyPXJYzlG3hzDmd3vU-sgbC7t3uCPMuw0mdRWvd9QaNKp57dAP1Bl3CH6CEo2iGuftLyCA32dzTpAG1khB_2ct9Yodq28M7j4Cp5hC0q-IDpUol4hUjeoxN7QLFzrn6IpFuvP18PlJY2VyrMS05Mc9-Pv0HW6cen1p3ooH0qHAlvsG5LO1aNX0xacTlHAthoIjziAAXKD2AQBVtbo4rh1ds67tcLvaGZGwhv_uyziy-UYeBU_ENloIGFMmD44m4leqoXQaessC56tbFWmJEseRQtHxuA0rslcPW0l2Y4EHQ0Hdg",
+ "eventCategory": "Management",
+ "eventID": "afcc764e-2db4-4fe2-aa74-85d01843d7ca",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "36fd0bf3-e2b7-43af-bec6-dd9df405c462",
+ "requestParameters": {
+ "instanceId": "i-ymn0oq6iadzm0v0t"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: l58oQoHuiZkxwnQ_NKmt61fv2TTDkDEIIZRKFdxXk1cbyA_Mz38ZetF794KYJVPv9zh-UC3ZtvX1WJJnAKIZXfjA9Cy1i8lSj7zHv03E2MQ6w6I16hErXuvfbNCOIGWskZ2_H_-p16hqtPGz38n9ZU9BTXPUScqUcA9u2vi4aHfOyqBJTl85vPXl0PNX0rSCNea01NDzwQrdxme2UyAiuFEa4CZceqFpahDKOA5S3tZm2OzBJaZdeBYTgUwlcJYmM6iEXiC6ZGJsi3IV-rcg3WGMFogLXp_tQTlfMcjiPqO9v-LGyypMT3aVCWfzVTnJrDk-7-S7ue7zuTlN8y9LHWTaQvZFf6vAMEe5o8DG-W5cEBoQu5BgdC2yLJk99q1wNM1hCM6xSx9MI1m3Z4FYQkfTg6okRUBJiXClAlWVDXyS8r6KqAog1bNB3XorSP5TE9FgEq7stZ0DUzNvYqHtkkEEkfS1PWmsxPFBm_ew1NPvAptqzn7dci-Xo1XcqWFxqDcQEdblBhZGweU9OodEznDv-CkI-iO54_Zn-fMR0WP58pSgNxiP2x00PR2lbC2WoOly",
+ "eventCategory": "Management",
+ "eventID": "b5da67b9-87fa-4151-bd9a-818f3237fb91",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "a7cf65c0-a900-418b-99ab-a5d2ec35eed5",
+ "requestParameters": {
+ "instanceId": "i-l2yrvbrcwc3ytkcz"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: ZUocdTACiGX76lWaShcYz3NiFH7xrcQLJF4xvkdVwj1YRi1LCjXrOGw99KaEjQryXTvxQl8mcoL3NPIH5bvnNm56e4dz1U4_VU1Kxe9GM2GOFvI8Dtz4yeL51wDiwFmt0g9Bfy90J8IevWimq6H-qiLNMbvL8s19Yxe-IPC4EOExJ73IGCm2M0L5Kk1PI1FNzS0V7JnRS53ZBBovZxoY3iJ5KDZ0IJMTbemzqT4uu4YCPzcsnHolRL8LaKniskKGZ4XjVxD3b5pybZ26C7DE77Wq67rlhNwJyRM8RG12tety1tw20hwblshCbJUw2YoR-_UffA4ZbMMDMSS1OkxatoynUOee5zTrapuKfsI592sH5SNLDH2nKzTMu75snXpwMEkkarPJR1rya1g7BQjvB7LcE8lnQV5zwXjCuwLx-yZrDNW6sytsvLt8oS1ASdIJlZk92V1rYCRvBBbMFgIA-0eVACBwrBfrm3x4AGM2YWBbtqtsZUYLr5Ofr6gJWn8xd9Ve-KZ98feGVI0hGzX2RMFbEDF5CeaztSYJ9VnOrxrVH1Cc3oE0GbRcBikla_4vq8_u",
+ "eventCategory": "Management",
+ "eventID": "52242c8d-7ef7-4165-90cd-621ebe835388",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "0436a948-0d62-49b2-a53a-07f590224fbc",
+ "requestParameters": {
+ "instanceId": "i-gspajwz8z9wrutsz"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: X7IcIBBP37fUlSTM_9cAnZKJ-zTlv5zmnaUcLS5lQZQfMyq3jfoXbih6NSCKKrWRnPqrCRmxo0uAw7ZIx0iLur5x7fvQq5hq9-ykkM9of1GB6aycacQC7yDzZmnFm8EHAoI3prAsEtL2e6DXtfNjT-XT0V8n69-2o8DVmh5gT7J4MZbfZssfRF-kdyCH4V_QVSv9Greh1Gnluz0EmztA6YAMhPCYG9cXp7GFzeQmQswsocXIXIhziu_UrwFb8hWZRM8Ih4ES3pvcZwzC6UB_bvSMjsVIjrJpNKNhmSievgN-MZno6buBDdsVz7pRCJJzFzvhsdj5S2e-I3jfTTfucNpyZB_xpyuSCghSW63oYi3mL8ek-t5h-sx23hANg523FIRk9w9YI6mmHiK74cwO-OUHgFNd8KERtSXHUBeno95Tp4ONhO6wSXYE6pJj3IevrcmgoWu8IHni6RbNeTC8h5SWb3sknXmdQzeN7UwEpoEEPhWtegFPcX0Zo0vOTb0oawDx16Y6eryN3966VgE_6nuDuCPMSESJngEnXZgtxLDDx4_lVymADHCS1G2vdh7ATuk",
+ "eventCategory": "Management",
+ "eventID": "a9da1fbd-464c-4b74-8c64-96eea2564978",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "8fdbcf53-b574-44a8-91c5-b81f183c871f",
+ "requestParameters": {
+ "instanceId": "i-ce85lye2frdpml4s"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: 6Vmm3_Z2lje988np7WwvCzM0gOYUowRA85YdDAIV3rx8y1O2mvqd1bWvJ0Uil_jPCbaRHVGEwnKbxuOEgMThvNpKooEdt2KRMbgEhUvfsdBb_l-tT5d5HM2wGr4t9C5u6uSIj6aJPYtvNrLSYZRz5oAFnjuoJb2m_T-63qxhnVpYvPswmWAUBRhHN7bZs2UVAGUF51CZi0bIB007D6MEkK7vijtzB54oBEZhedPhsLG4axf570Oh7fHoXBKy6AU_W1n-giLzqonpoUsqVuV5K7yTdpJpt0CKTPRYpkJ4ExOF359Q73q0aTd2aDnlWgryBSDVQQdJXHz8zoBOtVF3bl46JK0MTriGclPhz4e-k48Bv9gTMLsyasPIYbf5OwgkKgSrWa4e48F3QRfi4jMe_P9NDIKYQG-vFTyu0hrVoZWbY5OonzJTqYpgkmI1YgmZgKsKIFuKbO37QtAbLPQFJln1vc8cbRbKo3yrIuhiJ0C-lmdr-9saiOkGbcX-iPETeVh7LA8RxbQi74v7AVKq4y8T73bvP3sgiOxaHGx_KD96E-lY_SBy5vvP7EDNUCJO4zHw",
+ "eventCategory": "Management",
+ "eventID": "d2d44fa9-f50b-4877-8a52-9e3855029970",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "2e320d8a-8922-4741-aefd-86cc33c99f2b",
+ "requestParameters": {
+ "instanceId": "i-z4rfvoc4sgtoirf6"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000 is not authorized to perform: ec2:GetPasswordData on resource: arn:aws:ec2:apiso-northsouth-3r:457448411975:instance/* because no identity-based policy allows the ec2:GetPasswordData action. Encoded authorization failure message: H_1M2f8fBtX-nKWuNweECYRadnJgTd8yB-qZbnIYTBwsE58jAcA13xaXwijpN2uy4ksDhtIwclLwy4y5QxG82pYgzDWogJx94y_UP8_Sb_MTS9xBuWqjmelx0Z0QrF65xf1J79Gj67jI01QYDjVjuIPHR5_ygzq0QUzNU28lcbPiy42MY1GDPp24x-W3HVPDcnOzfTdqV0T-rKp9dVHwNB-lM_OPx3awGgOkofGAsRcP2aduNxYJcATRXhoTczjo7Lvz5rIKp3u5rC1JQDXAxnJ-8WrxidXOcVnTup5nNrkWIo6ACaoupxIf86yS1nJ6drtfU-r2gUuBhduI48K0y4PHP-2AFf-U201axMzqCYZsX5hnWf8hRxa6VLKFMJVsxsuFxZUVAAwm5K2NsEkzHh9T5KWWR2vO7pxFp-BgiarX_5ajJyVeTmON9LYJI3Gqit5eCV2F1mC8Cvy-jvWC88dt_qKzSTKtb5RMwAJZ4HivEXqp6iCdlViSJXbRGK5C3odmUCzGMUs2wV6fMAAcKWinQobra0P8Nn2zzKk6Zqx-ikgMwGDLZ8C5FZiNpjVUrv0",
+ "eventCategory": "Management",
+ "eventID": "f1e17321-830c-4761-854c-158258e915b6",
+ "eventName": "GetPasswordData",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "faae9c16-fe9a-457e-a12f-41f71b7469f7",
+ "requestParameters": {
+ "instanceId": "i-rbn1gvh843rzs87g"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "accountId": "457448411975",
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-30T21:31:15Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "principalId": "AROAMLQ9F6KHQ07JKA0WY",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-get-password-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "d769ddfd-2cda-4cfa-b33f-05d3b886921d",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "556ffdc4-27d1-4ce9-8932-cdca27641708",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "roleSessionName": "aws-go-sdk-1722375070115152000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "accountId": "457448411975",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "assumedRoleId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA7RQR64ZW9JXKWPUO",
+ "expiration": "Jul 30, 2024, 9:46:15 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEGYaCXVzLWVhc3QtMSJGMEQCIGWKgbykBmpvw3C2tHFJG2Z2EFmm8TFxSMzImeEIU/ZRAiB0qwHtoIdbFspr1VflqA8ScX+dd4rMEEsERlrKK7oVoiqrAghPEAEaDDc1MTM1MzA0MTMxMCIM5ByNCGn4qrkq0GCVKogCwZslL1u9JTIgKxy3FLc5DbnZJDGn8rXDgSa/ePdExCGfg+0jLmpH1UB9bjdXgqf3fVywvv9n3dKO9oI53KhIDxEnt6jbv5g3l4THATYf8KSx32wBKxybA0s5DLSV59jQwT5iFtHZWYRl19ntvhGoi2TlcBfN2QUlR5NjfedcUbpV5hSWwRtU/6tX9PX18qAJxsFfg2zlvgApf93ndSh6esupNF0stzaVzroT1WwSqZDN6onFk/7aZ3bFHQePjWT4l4e17hRbshVwqRNtaZdAIkR+qctOec1bOXRyqk2Fwtm3pAoCF7zC4CmBhav8XA7s2ed7lGI6ZqNG4h44J8lgVuCtf7v9Y/OEMKO3pbUGOp4BWl8lpF5zj8RzOSvPSmeOfCrHx3IIGm6P6Qa6jhOGCWCPUMEGyq3BrXnmBaRrnhTDzErvVJw2ZB9UV+ynLeTwWTC1dK0zYV+6h1wrLFAq2HZEnn9nW2Q4mesr2YicUASap3zWz+28xjIm5+WoiEuSJyirL3UznA4MAZxc1wf/vvuC47vx3M/4X76F6+zGJeO+/VzuwwfkqVYMo7Kag9Q="
+ }
+ },
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "fd179e25-9f1a-406c-8d7d-62f9d4938ef6",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "880bf8cc-0787-4c2d-8564-3f4ce8946109",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "roleSessionName": "aws-go-sdk-1722375070115152000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "accountId": "457448411975",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::457448411975:assumed-role/stratus-red-team-ec2-get-password-data-role/aws-go-sdk-1722375070115152000",
+ "assumedRoleId": "AROAMLQ9F6KHQ07JKA0WY:aws-go-sdk-1722375070115152000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIANQQHHS551LWULIWD",
+ "expiration": "Jul 30, 2024, 9:46:15 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEGYaCXVzLWVhc3QtMSJHMEUCIGm0kj47xAVKg25149QY6m0tHI8QKHcgIYPKJNYSkt32AiEA64SPa+BDSMJXiGD0qT45dx3H9Hj18oeXyl6fq7G+e4gqqwIITxABGgw3NTEzNTMwNDEzMTAiDJfCBLDTbEWuUNcbICqIAvzAOy3GNiobaWkep5/dAzk/rl6x/Lx+QNE+tUQnTU9xpJWQ6gl0uOxfQaQCingQ6Bwa7AYCIwghP0p+ijLHzj0WK9w6X1M2HgqcLIWaqarREf1xyOsPkFbNsML+1cw50lcxSCEXlQnkCDAGE1cI0wInkycEBuxGFDckceXf4whG9QzNW/jR7fDuzsN5u8GI4UsP77/oa2HISgg6wUT2byc3ni6+YruVQY//2ffKPfQyf1L9RmssxoYGb9t9iazDJjKDunKKZMvMEan4F9+acCbIUrBROgZ9Ays1D1DLjunCfRG9xd2fZ/boG6alhxNmuck39UfAxF1zyLAs3zmdWcQT0Z2croAh0TCjt6W1BjqdARs4DLOAmVNuEmRq1kvuWtdN8C0Q+ObHWUjFYQbcSNyEQOGz6pegmGbypeI9JSgxR7z6GPrSQS1yNWD9+Cs3LNl4Xr/zVmjDYDnVepIWDZ8xYofwlg78esvHzBbdKoKYt7se7feg1Kpyi0UT49BJvpUul9h1PGoQHF5zmVDA/QHqfoq5Ykv5haahEewaCSp6tvgljHXQ0xFDJv/+SIs="
+ }
+ },
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::457448411975:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "eventCategory": "Management",
+ "eventID": "46558847-8b84-43de-8c96-302aa4744763",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "bf47f64b-bcf2-441f-a1b8-9cbaa241ff11",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-northsouth-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::457448411975:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::457448411975:role/stratus-red-team-ec2-get-password-data-role",
+ "eventCategory": "Management",
+ "eventID": "8a8844ff-dc95-4ef5-87d2-d86cc23fedd0",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-30T21:31:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "457448411975",
+ "requestID": "b3f190d5-4701-47ef-9fb0-76e8b7877df0",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "200.249.253.51",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5c59eb79-6dac-405c-a4c4-e19aec03c666",
+ "userIdentity": {
+ "accessKeyId": "AKIAWOGXN38MFN92ING5",
+ "accountId": "457448411975",
+ "arn": "arn:aws:iam::457448411975:user/christophe",
+ "principalId": "AIDAFSHDVNSWGFKZR06G",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.credential-access.ec2-steal-instance-credentials.json b/docs/detonation-logs/aws.credential-access.ec2-steal-instance-credentials.json
new file mode 100644
index 000000000..98a7809a0
--- /dev/null
+++ b/docs/detonation-logs/aws.credential-access.ec2-steal-instance-credentials.json
@@ -0,0 +1,1834 @@
+[
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2a5178c8-b4c7-44ba-b066-1ecc79b7087c",
+ "eventName": "SendCommand",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "017622104382",
+ "requestID": "ff024f6e-78cd-4f36-95cf-7179c6421e32",
+ "requestParameters": {
+ "documentName": "AWS-RunShellScript",
+ "instanceIds": [
+ "i-786a3A8B5C0d92eF4"
+ ],
+ "interactive": false,
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ },
+ "responseElements": {
+ "command": {
+ "alarmConfiguration": {
+ "alarms": [],
+ "ignorePollAlarmFailure": false
+ },
+ "clientName": "",
+ "clientSourceId": "",
+ "cloudWatchOutputConfig": {
+ "cloudWatchLogGroupName": "",
+ "cloudWatchOutputEnabled": false
+ },
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "comment": "",
+ "completedCount": 0,
+ "deliveryTimedOutCount": 0,
+ "documentName": "AWS-RunShellScript",
+ "documentVersion": "$DEFAULT",
+ "errorCount": 0,
+ "expiresAfter": "Aug 2, 2024, 10:23:24 AM",
+ "hasCancelCommandSignature": false,
+ "hasSendCommandSignature": false,
+ "instanceIds": [
+ "i-786a3A8B5C0d92eF4"
+ ],
+ "interactive": false,
+ "maxConcurrency": "50",
+ "maxErrors": "0",
+ "notificationConfig": {
+ "notificationArn": "",
+ "notificationEvents": [],
+ "notificationType": ""
+ },
+ "outputS3BucketName": "",
+ "outputS3KeyPrefix": "",
+ "outputS3Region": "us-north-2r",
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "requestedDateTime": "Aug 2, 2024, 8:23:24 AM",
+ "serviceRole": "",
+ "status": "Pending",
+ "statusDetails": "Pending",
+ "targetCount": 1,
+ "targets": [],
+ "timeoutSeconds": 3600,
+ "triggeredAlarms": []
+ }
+ },
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1d6a4901-4b35-4e4c-8569-a15fde667507",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "fc69ddbc-31ee-4435-80d7-d5186c01d2a1",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "8b5891ab-9638-4c56-aa27-8c43dacbf6fb",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "968528a1-fb69-454b-b895-87df48493598",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "a4ac2342-6c2d-4d54-9308-e20b7d537063",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "48ac6ca0-0d3c-4cca-80d4-65cca1e7cf50",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "8aa86ee3-7789-4248-a0b3-779a720a31bd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:42Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "1a8b3f8f-0829-4e0c-bce4-a28c0e783f51",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "b379479b-05c9-4c3c-af4b-cbd43acf29e1",
+ "eventName": "GetCallerIdentity",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "e46e7e10-ae9e-4170-b205-5d327c156416",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "ASIAP5CT9NN8EYVU1FXV",
+ "accountId": "017622104382",
+ "arn": "arn:aws:sts::017622104382:assumed-role/stratus-red-team-ec2-steal-credentials-role/i-786a3A8B5C0d92eF4",
+ "principalId": "AROALHCCSKSM395EGX3XN:i-786a3A8B5C0d92eF4",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:20:52Z",
+ "mfaAuthenticated": "false"
+ },
+ "ec2RoleDelivery": "1.0",
+ "sessionIssuer": {
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:role/stratus-red-team-ec2-steal-credentials-role",
+ "principalId": "AROALHCCSKSM395EGX3XN",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-steal-credentials-role"
+ },
+ "webIdFederationData": {}
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "be2ec885-070c-4fc0-8c5a-11e8dfe65351",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7f6ff28c-e7c0-4634-9d18-1f3e6157a5f5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f9d500d1-d469-409f-b8b0-b0fea46b927a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "b4d8f210-46fc-4ca3-b03f-065a49cd9dbc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "501997e8-265d-44e3-92ee-228e7e155cef",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d76263e1-e1ab-4da1-9c74-ae146a06a390",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1928dbd9-a8ff-4965-bfb7-cfd7884933cf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "db31fb93-2471-4747-bd7b-0aa6d2ada9db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "48c0979a-5d65-43f7-aa41-914d1ac0348b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "c8f99ffe-e27c-41ab-84a4-9be8d40e8e96",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "73e1044f-14fd-4e57-a515-5fa1b33ee465",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "5377091e-7b64-4951-8d5b-38f5e6ed733a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "fbe51d19-8701-4214-8715-479c3765fd63",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9eb25ff8-973a-4bb8-a12c-2b27fdc5f434",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "0ad6b57e-2afc-4cbf-b618-b412445b3795",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "fd973fdc-43ed-418f-bd56-70c7bfb6beb0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "ceffab54-0d57-4970-b1fd-6c735c624531",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "13bbbae5-9186-499a-8613-a50fcd752cad",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "abe4f64f-4edd-4269-888e-bd53a143a2b6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "a475561e-0013-4f7e-80e7-9f2067b4b4bf",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "46e1e497-e386-4b89-9769-7c8d94d69c74",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "8b440237-44a9-4cad-8115-1d1015b9e7b4",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "92804077-0177-4385-bcf8-97b0291538fd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:44Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4bd629c0-ee97-4b2c-a779-2451cd91213a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "061a2c00-e72a-4126-9487-1724c2f6a37a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:40Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "f8b97bc6-cf13-476f-9e1b-5f005682ad9e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "57f3b958-1c3b-458a-b60f-52310b597f49",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "32a9ae7b-8cae-4b6c-93ff-081ee7a5355b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "394cf343-b9cf-48ce-8a94-e188656ae8ba",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7b9d34cc-91db-4ea0-9290-2897ad31b037",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {}
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "ASIAP5CT9NN8EYVU1FXV",
+ "accountId": "017622104382",
+ "arn": "arn:aws:sts::017622104382:assumed-role/stratus-red-team-ec2-steal-credentials-role/i-786a3A8B5C0d92eF4",
+ "principalId": "AROALHCCSKSM395EGX3XN:i-786a3A8B5C0d92eF4",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:20:52Z",
+ "mfaAuthenticated": "false"
+ },
+ "ec2RoleDelivery": "1.0",
+ "sessionIssuer": {
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:role/stratus-red-team-ec2-steal-credentials-role",
+ "principalId": "AROALHCCSKSM395EGX3XN",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2-steal-credentials-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "a03d1afb-d68a-4e53-be36-17be89b1a3ee",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d77be684-10e3-4da5-83ff-80e4abaf0818",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "6a96b70b-0d0f-49f1-b649-b1531d02de50",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9d0811fa-d945-4191-874a-c093553b3401",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "7d7d6c2a-6ce0-40cf-9a83-9ceb78feafc3",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "705c99bd-7db7-434a-9678-5bcb19552940",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4bbece4b-580c-4cfa-8b01-344774458f69",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:25Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9116a326-23fa-4f00-9f81-a52882bd18f7",
+ "requestParameters": {
+ "commandId": "f6887251-cdde-4251-a026-f50a25f521f7",
+ "instanceId": "i-786a3A8B5C0d92eF4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4b53af24-ec46-455f-9e60-f8f11235d226",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "57fdbc28-0188-4e33-8cc8-da4e0b474c52",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2cf5bf3d-8b05-4083-89c8-d621fb29d315",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "dbf6c6cc-b01a-432c-a4d2-001e24ecbc4e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "d0239fee-4dc5-4935-b2b0-3eb443760174",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "b75f1639-567d-4ad7-9b23-0912ada17f5a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3866bd7c-83fc-443a-8390-60f8037cea91",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "bf30e76a-ab54-4d13-bed7-ad994be43b7c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "797de410-d0e0-4acf-b717-5e67ed39a467",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "7f890911-9b8f-4f97-876c-524b6d542b71",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "4c488fc8-23fc-4600-bd00-c0d51404c929",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "468b2426-d0ac-43c1-bd64-7f73ea91aa63",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "77b4b3f1-c381-4bbf-98a0-eb420141b8c4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4763a692-3f7e-4096-9006-cde225a71111",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "1323b061-297d-436c-909a-2052c0d47e6a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d9d0901b-b977-4767-86f9-821ffcecc364",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3cfc7a2b-1e74-4292-8724-8dd29e0528ab",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "739b8f1d-2162-42b1-8187-0355da517057",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-SHA",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "d7463a04-25b0-4eb2-b329-867c6f6e6e17",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "d45d33ec-f498-4137-88cf-4f04073c269a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "3578680d-0d63-43be-8bd5-484b6106ddfa",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "5653fd0f-27ce-4ac1-9ebb-d34389b01946",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f3e31b50-d1e9-4e4f-bcdc-e1faed911fab",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "9e812fb7-0757-4659-aa0d-6c41bf6f7970",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f48f89e8-af3b-4dea-9c5f-8f26687ade02",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:07Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "6d3d584f-5f25-478f-8549-78c410db8d14",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "00e9b1b8-2b23-4988-b872-bc650469750e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "6c1953b3-468e-43f2-a058-2c6a926480a3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "9a691968-b92a-4218-8c3b-f9183a2db5db",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "58d7aeab-490e-4a1c-8803-5994b6ad3e9c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "9e3d2872-6af8-4137-8e17-276c8b34f357",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "72b94fe4-c828-4bdf-a002-7d2af722d687",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "f37811bd-6506-4785-b8e7-3a67885d9a31",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "3e2526bb-b0a8-4bcb-ae3b-5c88f6c04f1c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "65965073-1feb-46ea-95b3-c7b90937c70f",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:23:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "eba9f797-3323-451c-93eb-f3c57269a524",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "e805f60c-ada5-4dc3-9f4d-636a9978b30a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "80f88172-f800-48b4-94cb-d95cbecdbc8c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "us-north-2r",
+ "eventCategory": "Management",
+ "eventID": "2a96648a-6f8a-4faa-b5fc-432fab0eee81",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T08:22:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "017622104382",
+ "requestID": "4f2d4d99-274a-4133-b122-abac714570c1",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-786a3A8B5C0d92eF4"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "18.236.253.47",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.us-north-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_c763d13b-d099-488a-bb3e-f57cb2fed240",
+ "userIdentity": {
+ "accessKeyId": "AKIAAM80VXLJF8NPK4VC",
+ "accountId": "017622104382",
+ "arn": "arn:aws:iam::017622104382:user/christophe",
+ "principalId": "AIDASSXYG8SJ3JDII10C",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.credential-access.secretsmanager-batch-retrieve-secrets.json b/docs/detonation-logs/aws.credential-access.secretsmanager-batch-retrieve-secrets.json
new file mode 100644
index 000000000..73886a5ca
--- /dev/null
+++ b/docs/detonation-logs/aws.credential-access.secretsmanager-batch-retrieve-secrets.json
@@ -0,0 +1,202 @@
+[
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "61619dbf-c10b-471e-9d78-8199a2f8233a",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "d493c657-4004-4105-81f0-8f468ba0c9b3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "7c7a69f9-867d-4b5b-beee-7fe62ba34d5c",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "6b6e2935-39ad-44d9-9a62-eeb63e95bd69",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "cf4e352a-b575-4003-bd81-0c531f42e626",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "cd93c41b-cb19-4a2c-9f35-6a1becee24ce",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "bddee0fb-2541-430d-aad5-b1fdd5d419f1",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "6bd1a472-24d2-46b5-abb6-83a9caf3e3ea",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "cdc49957-9518-4ab3-a49e-b5a7c17903e6",
+ "eventName": "BatchGetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:29:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "165109126369",
+ "requestID": "be2e79d0-ef1a-47f1-90b4-bafbbaa7404c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "88.223.251.255",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+ "userIdentity": {
+ "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+ "accountId": "165109126369",
+ "arn": "arn:aws:iam::165109126369:user/christophe",
+ "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.credential-access.secretsmanager-retrieve-secrets.json b/docs/detonation-logs/aws.credential-access.secretsmanager-retrieve-secrets.json
new file mode 100644
index 000000000..1008f6a7c
--- /dev/null
+++ b/docs/detonation-logs/aws.credential-access.secretsmanager-retrieve-secrets.json
@@ -0,0 +1,703 @@
+[
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "b9c3d881-1e77-426c-abd3-5ca20d903380",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "c4fff253-825a-4828-adac-7f789f6975f3",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-18-4Rzn83"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "c63dd227-42e0-4934-8b29-52f4e583d54e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "df133663-cdb1-4ea8-b795-eddf0152e16c",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-17-JF56OW"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "0985f4e9-9263-423a-a499-fdd330c973c1",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "cf234c05-2c74-49e5-b632-5898071d4f86",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-2-WNXFB1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "25b97ad2-f713-4a29-af76-659e736629aa",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "52b87720-e08a-4fd4-8daa-ad70f983ce68",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-14-3JB2S0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "2d81c956-58c3-4336-ae4e-c0b9f2b96113",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "999b3685-f5e1-4008-9cc8-b83121ab679e",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-9-BHrKxX"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "853be248-0703-49a6-ba35-256dfbac47ab",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6f25a056-21bc-4dc0-b19f-ebd556481158",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-7-WNXFB1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "da3b695c-bf67-4648-af49-2bdfee197c14",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "9d284480-aa0c-4629-ad39-a99aa008322b",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-8-jLR7H1"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "8d045085-7bad-401a-9a04-4feba3f1073e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "a34ac8a9-1314-42b5-abf7-1fde8260e136",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-12-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "a9b70c0d-d32d-41e7-8356-2be543095478",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "84c979ef-40a9-42d6-844c-a472d4d6a2ba",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-10-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "dbff1b29-c7fb-4fe4-b5ed-24e8794b77fe",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6d9c4644-a87b-46fa-b76f-2cc62f8f6f64",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-15-SAZN9Q"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "0451b1de-e314-437f-a18d-827565e02bc9",
+ "eventName": "ListSecrets",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "818f243c-bb6b-43b1-9701-5180eecc90d2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "tag-key",
+ "values": [
+ "StratusRedTeam"
+ ]
+ }
+ ],
+ "maxResults": 100
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "99207de2-f8ea-4160-bbe8-22cb14da3a26",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "3f6c8311-bc51-43cf-88b8-5e51f424c1fd",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-4-Rma50d"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "d92519e6-b907-4d3a-abb4-d63c9feaee52",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "b1c6113d-e471-456d-9841-c094e4b47618",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-19-fXrpF0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "e20f1d5b-f2fa-470f-8d33-8aa43ddb6a23",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "6604143b-2af2-49d6-90bf-1520228a658a",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-1-fXrpF0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "bd52f504-dd75-46cb-a14e-e447612ea736",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "ad14aa03-62ac-4e31-afbb-5bdd640e051e",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-0-28bajb"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "2e8dca5a-4e30-4feb-91bd-8a09cd1067a5",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "12e83f12-234a-4ed6-a8a2-49b68a54abde",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-16-JcCztd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "304c3bc6-5daa-4405-bbee-e6c65d276c20",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "45167e35-4642-41ae-bb82-0c431ce5dd24",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-13-MNjL4W"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "43ebe9e4-8a82-4bd2-b5bc-bf9585c53bca",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "a3376683-89a2-4a39-b490-adeed0bd02c1",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-6-JcCztd"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "a05794ec-3c4c-43f6-b302-cce3f6abf05e",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "de58de72-13f4-4f0e-8b23-2f25717ca82b",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-5-fyShdO"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "c9efcd4d-a04b-4abe-8fb4-2d954bcfda77",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "c686956f-fd49-433d-bdc7-c2fe91012036",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-3-DyLJjP"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-centraleast-1r",
+ "eventCategory": "Management",
+ "eventID": "879e946f-b912-44e3-9d82-a84ad0b06668",
+ "eventName": "GetSecretValue",
+ "eventSource": "secretsmanager.amazonaws.com",
+ "eventTime": "2024-07-31T12:36:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "903144391865",
+ "requestID": "7ab119ac-f938-4bcc-86e8-9917493ace97",
+ "requestParameters": {
+ "secretId": "arn:aws:secretsmanager:cn-centraleast-1r:903144391865:secret:stratus-red-team-retrieve-secret-11-OyGWSO"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.201.144.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "secretsmanager.cn-centraleast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_10e7edf3-5063-4eba-8842-68f83bb52d65",
+ "userIdentity": {
+ "accessKeyId": "AKIA1JMTHE9ZMZMWG0MG",
+ "accountId": "903144391865",
+ "arn": "arn:aws:iam::903144391865:user/christophe",
+ "principalId": "AIDA45XCCHPPLELFTIIM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.credential-access.ssm-retrieve-securestring-parameters.json b/docs/detonation-logs/aws.credential-access.ssm-retrieve-securestring-parameters.json
new file mode 100644
index 000000000..85df58b7d
--- /dev/null
+++ b/docs/detonation-logs/aws.credential-access.ssm-retrieve-securestring-parameters.json
@@ -0,0 +1,566 @@
+[
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "3c83144c-614c-4979-ad06-b29d4db97c45",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "13846448-4620-4f7a-af9f-f3e8bb7331e4",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAWTrG1XzfC+I+cBZdv2e1Y6JxbMPL7ueqKuvIWVzlNmJAAAAAGarqUEtel9rb1/hWoLuU2fulBaFOAdkVl/mZEj6gahZa13rY/NLTIYY7M5dJzOP+lpBWs4Xs9bGXKBNkSuXRdpmHac6HKafIoo/QaeZdw3phYjDbq+RQR7saxp5c/bOWIMtNBYD/A/sd4cnb/986qFM4978kxcqKsA1KSpCzNL187ypwamchw+ENE8Jk6ZLCTv3edGWlUGFZRVIH1Owq+e597P7xLkwkIQHvn8uNFeW7tW6/SNukEbMkSiyJ/0XMXTytqj4Buns0LSigHLelswkOBTE8NZ3aQM1EFjlTl8Lq6LS5Lsv813z4yv1Qo1Wn8iAUhJ72IsTLpYsWnQNAl7smhlKga0N06ueI7CQErvWfHLNR+BsA5U6XJ3KReNmwRHc47BfR7Xo4ibktKGlGCabtUe9X09W7W2X6NtJv/Q3s4ArEczKQk0e3qEx49nZYLmHQs8BJn7QWgATgAAqUWB1bBEKq2NKNFdHNc2P+N4sypbANg8dVi/+fCRZ6JgDom5r/LXSB+lxThU6i4yiCb1EB6kzPXKME2FqeRm2oH+n4KT2qDX9WW5qxNIvSYbHKcPbtxGbZHBZiVdgjQdDxSkc8qCAPQ5cedA18AJ6gQy6sNl/zgs1ILAUErFz6QaWhozFU0FZiBCK6aiNA5czIPIlDld3+DrTKmuf46PmUg/iJym2zQ=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "a16d52e1-5e70-44da-b1bd-9016cd1b1cb0",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "a94ac3e5-6956-4bd4-ae7a-6c4517865b56",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAfqeTJBa9KzNy85Z/I9fugPDwcPX+6UgaeHcuXfK5NcfAAAAAGarqUAd2tcUDuJEuPOIEBFqxxAR2+Ls88vLJSSWVsgnhZkVpRH+/ddn7uN8ec0Gr584BOjtFxs2RNVM/BPT/Ka52SNZS8C4jsMXbFQyAIJCEVCy8oL+v+i5Sxfvn/fKNmLSNj8oci/vsGBMkPwPd1/3juDlgjoqjsMUTHJv+HVDfMuVm9bRqXO+FyUFppOpaqsZOfrKPumVN5p+Pa2QcTVQlegs72EzvnCarJYmoI63g5PmxWE9jhgs24rSTdm7oX6Ai4hYjGmhtZoIrFU/JGumeM7X0rivOEMRVAX//LKs+78Zyt2sPFMHFfEu7tqarKcMQDEP164enW/bwuOT+X0cn6ps1eyaQJyFQoMACCMRYDlZ0kn5c9LnQ5HqmimQnRIes6y+7CXHIhbV0ZZBsIdqXiGcPy4X7+s2VPJMq+2CTdPsmkQs0JS/p+y6PoN+k92S/HTGZpUqOBd59dT+mBmpLvCeBYoskxKZPuc/j84po9DZGsVNPRKHzqhsH5p9m9oSc+ZnEAF571cZmXM56I0BtSScsWP14HtZEEAwwV3batz4uKXbw7cHPRgBbyNVg3y6X0tjrgyk2/MD9BNlOTgrRHIJ1CAV9OQNY0WK+Y4KhXLkqebum6qTY+ijqrpwoHgsc9yXjxMxXFsZoutMiBYUWv7z22w32l3I9xXExJrU10oy8A=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "a4663305-e887-42ac-94e6-d04685e59899",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "be330b1c-725a-49bc-bac2-8d0d114c7e73",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-1",
+ "/credentials/stratus-red-team/credentials-15",
+ "/credentials/stratus-red-team/credentials-20",
+ "/credentials/stratus-red-team/credentials-25",
+ "/credentials/stratus-red-team/credentials-32",
+ "/credentials/stratus-red-team/credentials-34",
+ "/credentials/stratus-red-team/credentials-35",
+ "/credentials/stratus-red-team/credentials-36",
+ "/credentials/stratus-red-team/credentials-39",
+ "/credentials/stratus-red-team/credentials-6"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-1",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-15",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-20",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-25",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-32",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-34",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-35",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-36",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-39",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-6",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "f7fd8826-9ac0-46a5-b7d5-55c269f59541",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "4bd8d56f-70f4-4b29-8702-b517ee503852",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-11",
+ "/credentials/stratus-red-team/credentials-17",
+ "/credentials/stratus-red-team/credentials-18",
+ "/credentials/stratus-red-team/credentials-22",
+ "/credentials/stratus-red-team/credentials-26",
+ "/credentials/stratus-red-team/credentials-3",
+ "/credentials/stratus-red-team/credentials-31",
+ "/credentials/stratus-red-team/credentials-37",
+ "/credentials/stratus-red-team/credentials-38",
+ "/credentials/stratus-red-team/credentials-7"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-11",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-17",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-18",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-22",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-26",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-3",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-31",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-37",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-38",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-7",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "674e3606-412b-4468-8d97-df54a290c564",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "76e5cae2-768a-4fce-a2d2-b162e27c8293",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAYl+RRW68eJ0xW6biiQkM0UFbgLzAw680L15/s+wHzuWAAAAAGarqT8yLEDnasB3CYBlA/iBSdCHG6jmIVUUgyWN6FIuTR9LfGXxx5xnVpiuEeGOELVuVJR35ZqhwXSVIiS57kfs3KUyffu+H0Iy3PYS9EztV7mH58Q3pE5jcU13IozWkd03XYMkAl2hgz5xX2g3SW8BGD2QeBUYmtHspZrSSpDloZoeJ+DCcQPwHRc9NjbnOnscO8TFqWvos2OmRpMtyA5BY1UAtBwkd9A6C4k2+97cBtu71URXDkT4wP4DeSPM/ZgSnZudGylYxUP7cZPwcK/uxr6cw/ihqQ7B30xIdIt9a1k81WBsCeV5KdBTXQHyUEQxMQd4uEZD1nEd30nsg+JtHF5ckuYS19zYoNCKydCr2aFg7/dNCdrZy0hvmJ+bw/QESYs8ZUMj4i7ilDoVo/I+RXQogojGBVnVES0wxCidKLyDQBDxAYur9eL4fwbstwdeFJJTP1vr822DvXDs0Q5l0P590bEanMD5ZdC/+kVkOO2LdAHfRXe8Osb6tua7PsvLpm9DYs7jjJ7gZciC18XxygX5d77FpIw4LtiDvFKrtzIjhmy6ZOKfxaDjYUlpJ5trxawf5FX0jQuLSYw0HMsZEv9tU0iVVvCGcJPPuX0V2jR8vCbUUJe1LFnROuBDkcpvfsSIcD+jV3caD14QlsFP0oT5pdi8iE4lQQs42UBpfDxMHA=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "7fbcfbae-35c6-4c93-88bf-741fe4c4ada3",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "879a4957-60a5-413d-be00-de67325a9f33",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-10",
+ "/credentials/stratus-red-team/credentials-13",
+ "/credentials/stratus-red-team/credentials-14",
+ "/credentials/stratus-red-team/credentials-2",
+ "/credentials/stratus-red-team/credentials-23",
+ "/credentials/stratus-red-team/credentials-27",
+ "/credentials/stratus-red-team/credentials-29",
+ "/credentials/stratus-red-team/credentials-33",
+ "/credentials/stratus-red-team/credentials-4",
+ "/credentials/stratus-red-team/credentials-41"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-10",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-13",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-14",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-2",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-23",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-27",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-29",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-33",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-4",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-41",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "d487c732-d152-48b1-9897-90b3a037040d",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "b93b1643-c5ab-4c02-90d3-4bfa619ca186",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-0",
+ "/credentials/stratus-red-team/credentials-16",
+ "/credentials/stratus-red-team/credentials-19",
+ "/credentials/stratus-red-team/credentials-21",
+ "/credentials/stratus-red-team/credentials-24",
+ "/credentials/stratus-red-team/credentials-28",
+ "/credentials/stratus-red-team/credentials-30",
+ "/credentials/stratus-red-team/credentials-5",
+ "/credentials/stratus-red-team/credentials-8",
+ "/credentials/stratus-red-team/credentials-9"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-0",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-16",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-19",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-21",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-24",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-28",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-30",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-5",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-8",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-9",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "f1283a09-788f-4b20-8b4f-0364dce2968a",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "48e17307-1cde-4161-8e06-322fa6e2aef0",
+ "requestParameters": {
+ "maxResults": 10,
+ "nextToken": "AAEAAaBteYGa8oU2QyrYeGJUO62kbtV8jAxUkBelmma5CqZTAAAAAGarqUCgxn/Ts/JpI10tWTxO0Tx6RGC9jR11wb7NoHX+2QDw8Ae6WOTrT/drS4ppinCT5SowtU1Tislk2nW5dyonFkinraADtk6zT6QQoDzl07aHweO32RmyFBre/v7j5Dx4RFEgqNARuE5AjxUT7+8V1CEvdisL+PlTYWA25MtdB4/sclYzUPL3Hdr6wTrmTsvvOZMCkHsV6Ug4sSh00zcNOI16NuXkSWC4yTPvJYvaxZiyp9KxkHsp38YDbY/UiKo2ijIouBErXOdGhMRn8FsK9iu2L2KAPXRLpdfihaWSujZBMEMuPgk+m/FmwkoYMEFpp/nRyOEZQjRBKCsRNIb4LJG5NXUR7vQXoa4fkXyctEwl4osDP5HN/4rH8A5DxRC25CKGMKr24mc7KYVbNvYOiCxSFD4LowdsesAKIzpq66ta7prMnAXJGTH+NauLkTXeXDhpuxtGtQuqGGjN3E2uZ+8xQSJ7/jzZMbO3UGMwxvdedgWjf53SQ8qgmXEzjs1aXxKuzefv+Of44HG3deLlSlLWU1G2Age9WJRjG90QYdxD+xJjhiCaGH83gypzZWwMuRFg6rmYAPn5Q+pan1HJYU9BFxZKYC9ZPP+4bOab7RjTn7Kt1tEkFiVCXR2HjD2P6pP7oPd/tORQYwpd4Boi8+VS2QH1oxEOhROHeVkPvpRGnw=="
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "fb5e100b-273f-4cef-98e4-efc3a52a15e9",
+ "eventName": "GetParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "760b9a37-2498-4d32-b041-f153827bcc3e",
+ "requestParameters": {
+ "names": [
+ "/credentials/stratus-red-team/credentials-12",
+ "/credentials/stratus-red-team/credentials-40"
+ ],
+ "withDecryption": true
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-12",
+ "accountId": "933175858973"
+ },
+ {
+ "ARN": "arn:aws:ssm:cn-west-3r:933175858973:parameter/credentials/stratus-red-team/credentials-40",
+ "accountId": "933175858973"
+ }
+ ],
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-west-3r",
+ "eventCategory": "Management",
+ "eventID": "e77574ca-5c4f-4d99-9f3d-67cbfd04aa99",
+ "eventName": "DescribeParameters",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T15:26:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "933175858973",
+ "requestID": "7f54e3af-2dc7-4392-8d7c-9a7f018dd1a2",
+ "requestParameters": {
+ "maxResults": 10
+ },
+ "responseElements": null,
+ "sourceIPAddress": "250.202.242.232",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.cn-west-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_e1d92b9d-2488-4244-97b4-0a5e914287ba",
+ "userIdentity": {
+ "accessKeyId": "AKIAY964QRZ7YSGWGVUH",
+ "accountId": "933175858973",
+ "arn": "arn:aws:iam::933175858973:user/christophe",
+ "principalId": "AIDAGTWHLUXY291EU1ZL",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.cloudtrail-delete.json b/docs/detonation-logs/aws.defense-evasion.cloudtrail-delete.json
new file mode 100644
index 000000000..b2049b0ac
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.cloudtrail-delete.json
@@ -0,0 +1,35 @@
+[
+ {
+ "awsRegion": "megov-westwest-1r",
+ "eventCategory": "Management",
+ "eventID": "ee73c230-44bc-4492-8542-cfb189eae287",
+ "eventName": "DeleteTrail",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T12:46:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "847129010505",
+ "requestID": "206c2187-a29f-45bf-86a2-a87d99ff7186",
+ "requestParameters": {
+ "name": "stratus-red-team-cloudtraild-trail-kvrwohmiai"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "08.1.250.216",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.megov-westwest-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a007fa03-86e2-4130-be03-ee7b7b10edcc",
+ "userIdentity": {
+ "accessKeyId": "AKIAFBJ48BV9CGRBRKGM",
+ "accountId": "847129010505",
+ "arn": "arn:aws:iam::847129010505:user/christophe",
+ "principalId": "AIDALE4EP1EPEPX3SDR8",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.cloudtrail-event-selectors.json b/docs/detonation-logs/aws.defense-evasion.cloudtrail-event-selectors.json
new file mode 100644
index 000000000..e8056de38
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.cloudtrail-event-selectors.json
@@ -0,0 +1,71 @@
+[
+ {
+ "awsRegion": "cn-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "c2a89408-340a-42f0-8ace-75d9f5769393",
+ "eventName": "PutEventSelectors",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T12:50:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "958312252124",
+ "requestID": "5176273c-0497-47e9-8f4c-840b62e7fc9a",
+ "requestParameters": {
+ "eventSelectors": [
+ {
+ "dataResources": [
+ {
+ "type": "AWS::S3::Object",
+ "values": []
+ },
+ {
+ "type": "AWS::Lambda::Function",
+ "values": []
+ }
+ ],
+ "excludeManagementEventSources": [],
+ "includeManagementEvents": false,
+ "readWriteType": "ReadOnly"
+ }
+ ],
+ "trailName": "stratus-red-team-ctes-trail-khlvciwdor"
+ },
+ "responseElements": {
+ "eventSelectors": [
+ {
+ "dataResources": [
+ {
+ "type": "AWS::S3::Object",
+ "values": []
+ },
+ {
+ "type": "AWS::Lambda::Function",
+ "values": []
+ }
+ ],
+ "excludeManagementEventSources": [],
+ "includeManagementEvents": false,
+ "readWriteType": "ReadOnly"
+ }
+ ],
+ "trailARN": "arn:aws:cloudtrail:cn-northsouth-2r:958312252124:trail/stratus-red-team-ctes-trail-khlvciwdor"
+ },
+ "sourceIPAddress": "221.254.191.250",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.cn-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_ce507fbd-078a-4e4c-975d-d80cb80df469",
+ "userIdentity": {
+ "accessKeyId": "AKIA2I0BSXU5LNRWIN0K",
+ "accountId": "958312252124",
+ "arn": "arn:aws:iam::958312252124:user/christophe",
+ "principalId": "AIDA3JXGLTFY4HTLVVO7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.cloudtrail-stop.json b/docs/detonation-logs/aws.defense-evasion.cloudtrail-stop.json
new file mode 100644
index 000000000..6e0a7d2f7
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.cloudtrail-stop.json
@@ -0,0 +1,35 @@
+[
+ {
+ "awsRegion": "apiso-centralnorth-2r",
+ "eventCategory": "Management",
+ "eventID": "10163ed2-2253-469d-a5ee-cbc6651f8934",
+ "eventName": "StopLogging",
+ "eventSource": "cloudtrail.amazonaws.com",
+ "eventTime": "2024-07-31T13:06:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "143434273843",
+ "requestID": "14c891b6-11b5-4787-ae97-64a974977078",
+ "requestParameters": {
+ "name": "stratus-red-team-ct-stop-trail-buykxbqejv"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "86.245.153.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "cloudtrail.apiso-centralnorth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c97089f1-1ae3-4ecc-b006-f5e8fd0f2571",
+ "userIdentity": {
+ "accessKeyId": "AKIAGGWFBBHBE7D3M9WI",
+ "accountId": "143434273843",
+ "arn": "arn:aws:iam::143434273843:user/christophe",
+ "principalId": "AIDAOC1SYDVN0AF0FMMR",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.dns-delete-logs.json b/docs/detonation-logs/aws.defense-evasion.dns-delete-logs.json
new file mode 100644
index 000000000..440448ea1
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.dns-delete-logs.json
@@ -0,0 +1,49 @@
+[
+ {
+ "awsRegion": "sa-central-3r",
+ "eventCategory": "Management",
+ "eventID": "ba4609ca-b420-4cb6-bdff-307729b3b7db",
+ "eventName": "DeleteResolverQueryLogConfig",
+ "eventSource": "route53resolver.amazonaws.com",
+ "eventTime": "2024-07-31T14:23:46Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "206821776919",
+ "requestID": "6dbefe3c-b575-499a-a94d-a3bda0e4009a",
+ "requestParameters": {
+ "originSequenceNumber": 0,
+ "resolverQueryLogConfigId": "rqlc-4473f20ca554c07"
+ },
+ "responseElements": {
+ "resolverQueryLogConfig": {
+ "arn": "arn:aws:route53resolver:sa-central-3r:206821776919:resolver-query-log-config/rqlc-4473f20ca554c07",
+ "associationCount": 0,
+ "creationTime": "2024-07-31T14:23:44.841442289Z",
+ "creatorRequestId": "tf-r53-resolver-query-log-config-20240731142344425800000001",
+ "destinationArn": "arn:aws:s3:::stratus-red-team-dns-delete-bucket-bxxclslsdp",
+ "id": "rqlc-4473f20ca554c07",
+ "name": "stratus-red-team-dns-delete-config-bxxclslsdp",
+ "ownerId": "206821776919",
+ "shareStatus": "NOT_SHARED",
+ "status": "DELETING"
+ }
+ },
+ "sourceIPAddress": "251.234.045.249",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "route53resolver.sa-central-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_bdd216cd-7fb9-4b18-971a-cb585947fd95",
+ "userIdentity": {
+ "accessKeyId": "AKIADT99GZBZR7NVDT0D",
+ "accountId": "206821776919",
+ "arn": "arn:aws:iam::206821776919:user/christophe",
+ "principalId": "AIDAKUK081EB3L71EAZV",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.organizations-leave.json b/docs/detonation-logs/aws.defense-evasion.organizations-leave.json
new file mode 100644
index 000000000..c54463c1c
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.organizations-leave.json
@@ -0,0 +1,151 @@
+[
+ {
+ "awsRegion": "euiso-south-3r",
+ "eventCategory": "Management",
+ "eventID": "099bfd30-232c-4dff-9998-3821921063ca",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:30:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "307578594326",
+ "requestID": "4ddeba69-b9da-48b8-833a-c4d75f10111e",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "roleSessionName": "aws-go-sdk-1722587398902687000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "accountId": "307578594326",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "assumedRoleId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA36EV31F1RB3OA8IG",
+ "expiration": "Aug 2, 2024, 8:45:00 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMSJIMEYCIQDpLWjFwlZiDhOSv0Wy5mFb/hiIvKvEuUFZxT+drWNuGQIhAN4f3+HUyrPT31KHNwCaurNZJk5wXAWdp3sNeX03lBnkKrQCCIr//////////wEQARoMNzUxMzUzMDQxMzEwIgw0GyjMjlRuPkefn0kqiALzs49PG+DYSQ2tdUjlPv3YOOCAHkwaO7GpRcy9Yjo7R5RHGBw7NQSJmTGSahF/InmScEUvU8BV+ZuCsQJew5QC7yNqD4FNV5gCdj/0r0w/rh+GITYgoUvv47Xz4cGIhKfk0lsQiYptWeWq2htiubjbemAz2YXxoZUCHkGQUm1taei/jRfdMANUc63J20JxrhURAh2p3A/Aw9syW/eGT1AtV5Va4BpKkA/ik5mya7eEuyMxuXgldHBIXV04+7OcnJbkqJE+RMrP29VY5Z01ajs3NXTEFKpawctP8LXUIkfQDA35gSloJkeWlY4NUuN9rigCMjwRg1WpMWeQy/LwSm/BUm8mSh+dPYwwiLKytQY6nAFRnnDovTfsWAjH7oSq4aJzURd0sd5LeU0vbOMPSVXao0aCCZsF3kYLiZoy1vpfukI/z+FmduLMW1RpKR2S0iC0LUUrRekErl46GBRqnuc6T05CFZx9sFr0rUnTQlCJQFznQP2WLiQWs1uBL6vxrOi8bTuq4kTgOFJfGRIar0CXOOO19fPf5TDZ1HKRFo55VcamguEk4L4DCAJLivM="
+ }
+ },
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "AKIADVISM0T50G52IF0D",
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:user/christophe",
+ "principalId": "AIDA7YYMW5FLWE3HGTNZ",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "euiso-south-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000 is not authorized to perform: organizations:LeaveOrganization on resource: * because no identity-based policy allows the organizations:LeaveOrganization action",
+ "eventCategory": "Management",
+ "eventID": "16903cbd-fdff-4818-82f2-d66ad09aaf57",
+ "eventName": "LeaveOrganization",
+ "eventSource": "organizations.amazonaws.com",
+ "eventTime": "2024-08-02T08:30:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "307578594326",
+ "requestID": "47bd7f8f-1cbf-49df-8503-7d60917e721a",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "organizations.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "ASIA36EV31F1RB3OA8IG",
+ "accountId": "307578594326",
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "principalId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-02T08:30:00Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "principalId": "AROAHKPEEQ9BHUOX4D93T",
+ "type": "Role",
+ "userName": "stratus-red-team-leave-org-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "euiso-south-3r",
+ "eventCategory": "Management",
+ "eventID": "e3441619-0bf6-4818-bf18-391fb65ba98e",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-02T08:29:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "307578594326",
+ "requestID": "0af9d3b8-6911-407f-a3e7-b54c4e36e41c",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "roleSessionName": "aws-go-sdk-1722587398902687000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::307578594326:role/stratus-red-team-leave-org-role",
+ "accountId": "307578594326",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::307578594326:assumed-role/stratus-red-team-leave-org-role/aws-go-sdk-1722587398902687000",
+ "assumedRoleId": "AROAHKPEEQ9BHUOX4D93T:aws-go-sdk-1722587398902687000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIAMOWPWQJ1QHWCWJXJ",
+ "expiration": "Aug 2, 2024, 8:44:59 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMSJHMEUCIEn2jTjXoiKEo1nDM8a/bLpChCnNR5DiuhZ/X7Nb+LPgAiEAnbcwRa2KudpyvlCk/Rp1BejOkEXlpQzJoLaMyfhQpq0qtAIIiv//////////ARABGgw3NTEzNTMwNDEzMTAiDER+6/kn5hAd98DsoCqIAmEmhie9s2iLhj9Nf3lGI2Ezprwy/Zk/HQRQPKuxJu6+0ZyRwAlgZeXcOTfjo3xTdiVRTNiu9SUOAFNsMoiIvVFOofY0XojtNMVKA1PVNjcDqpidgdJZGeFMnGXSEb5ea4ZLUCY6sOm4SgsL2vuPOz5i+Bz40ajwu5bAfNnrXFnPHqwLQnf0PSCZQmbESeo0KjQ7TQ0Vw3mjWP2aW0EJFw789hyQthYLkQPoZrqw9n3FCnX7IidusIVIAjOVh4Da3aw8nWhiwOEizs9UX0ZIq+wmeWx6B4MuzMCp9BNNRGqxhO4Mje2K+Z3qd1+6RC/AdydJwHuoNi0oAY0t1yFb4DyzQyD9Gi3qXzCHsrK1BjqdAU23Sc9g9h/uJPJIB81GJ2hEqAToB/tYMJSINsK9vbSLa3ugqzTo9AD3Y95d3jVv7VB1bKIX2FMhcTqKpKZKtmriqAZJ3UNgNA9ZMf31H35M87SXbVN0z2a9H8XZO4iQrdNQzKBR8rlGOb6i+UefrltFQLdRbwKbfiWsiZwkEyz5RK7794ELHV+3328jn+GUiJYTv731tRSkrc7wfvE="
+ }
+ },
+ "sourceIPAddress": "252.5.222.230",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.euiso-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fd969928-3c0d-4feb-bd56-34f9aee3e6eb",
+ "userIdentity": {
+ "accessKeyId": "AKIADVISM0T50G52IF0D",
+ "accountId": "307578594326",
+ "arn": "arn:aws:iam::307578594326:user/christophe",
+ "principalId": "AIDA7YYMW5FLWE3HGTNZ",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.defense-evasion.vpc-remove-flow-logs.json b/docs/detonation-logs/aws.defense-evasion.vpc-remove-flow-logs.json
new file mode 100644
index 000000000..b449b9770
--- /dev/null
+++ b/docs/detonation-logs/aws.defense-evasion.vpc-remove-flow-logs.json
@@ -0,0 +1,46 @@
+[
+ {
+ "awsRegion": "megov-south-1r",
+ "eventCategory": "Management",
+ "eventID": "ded2f5af-f3a5-46d2-a170-a23206a32c36",
+ "eventName": "DeleteFlowLogs",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T15:07:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "498376118699",
+ "requestID": "96d51d7f-c18d-45b9-8315-9aa0fde21e88",
+ "requestParameters": {
+ "DeleteFlowLogsRequest": {
+ "FlowLogId": {
+ "content": "fl-0e17aa62a21d4bbfe",
+ "tag": 1
+ }
+ }
+ },
+ "responseElements": {
+ "DeleteFlowLogsResponse": {
+ "requestId": "96d51d7f-c18d-45b9-8315-9aa0fde21e88",
+ "unsuccessful": "",
+ "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/"
+ }
+ },
+ "sourceIPAddress": "206.90.1.223",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.megov-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5d25952b-37cb-46cc-a135-3407cbbca7bf",
+ "userIdentity": {
+ "accessKeyId": "AKIA5Q8Z0GHOBYSEN9D6",
+ "accountId": "498376118699",
+ "arn": "arn:aws:iam::498376118699:user/christophe",
+ "principalId": "AIDACKW2I5F25HSI3O4J",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.discovery.ec2-download-user-data.json b/docs/detonation-logs/aws.discovery.ec2-download-user-data.json
new file mode 100644
index 000000000..f88eeb01c
--- /dev/null
+++ b/docs/detonation-logs/aws.discovery.ec2-download-user-data.json
@@ -0,0 +1,892 @@
+[
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:751353041310:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: K2-zhDkMqUq-g9q-R4ks6tltFzD63SUSxwKCTu5riJZoSD2q1xthgx-uUJ0ES-JqWPLhTUEHsklWqMDa1NqCV9zjmM_HU5bzubi61HQEvxzFcppL-MtX639POzt6cD5-pTLVsUW6YAT9JzLX4c4Afn3rPb-F9HrcqUBa8P9MXv5BtTbvfHYYeLuFbf8LOS3b2v6c_Mytt7ag-xgRM54brHGy3Esp0JNbejXPCvlzvkmtppUxCs-Sq561B4o7P89gymFqqIY10tNagPMAiM7JVhidM_NzBCkF1Q3XvOw7BTrBnXT5v-g7oadbGoZ1vVe_QsoZwDTQqWAF5zniUgu89LFxiUuEZhpeirUGnTZbkIubQ4J6OCDsCmO1lDz521qUfqpthJ9M5MzznWoYyXb-Ht38YTD81mWbq1dak2t4st3uQUfNZnhbSZkA7a7D5JlgAKkoG6DXplVL-ll78WgVcAKcwSJZ29wp1SE3U6zJ09Sz6ZEuSbeIbm2nyyYYCcTQoSNBU6qK08r_L_2qSiai_DYSh_HLspQtX4OwyPdtbJjAXrlPydgBY2lmniJvZ0nKv-zTzzk",
+ "eventCategory": "Management",
+ "eventID": "4839af5e-7b6a-4353-a5ef-41febc9a9fa8",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "d5c299e1-afd0-464f-92d7-8219b597c93b",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-95b86090"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: _AfGAKvvBmg1J3PRHkFjzWBCMkRgqZE3AD1OiUgYd6dVN4yRyc0XzZpxeYj1vesLCnaLrBmg3nMtcSfn6ymrP4eQibOdrpNv7x4GdFBzcg6H1jchddomWF3ZbTJLKGrzD_9ygAKiyk-mB_W1pK7UfIbjZ0CLgrxJW2fgNBZp1KzZDvT7gqpI9v4h3oip_Cs_oE_Cb__1O7IthlNNfbyOBPe_E9J8bpqWMD7_IRdcnNkbprGQQ-U794zyAVVcuAm29HZBUE4MFgslthGmi5_EZtYnAz6qbT6kc9gl0ilBJiVeJ_iru-ySGXONW_OauI9u_TLGk2TRbDwuAyl5t6UXVZgmVcRx6-OOfz1rn2FCbeW1u5pbWnGCxJgmFUDOOQZOR3dJX-oRCbfgvI-kKnDYmHPF2xTks_v56oFzhrONpxzDMUosZiumPm9lP5bPCXQSkuLxE4wFFA8WGTw2KSGJC-Imzy1ia6JXXb2g3Yzsk7uyy8Xs3ylGgclmmGG8ktNHsOctUcYY5lFKDlZXeo6Y-LWYP8s2o42sOvoSoHvYyXIY_oFveAN0TfUemD3JMYM5CDQwX-E",
+ "eventCategory": "Management",
+ "eventID": "5a44c114-2692-4701-bc09-faeb3f49b56d",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "712cd928-14d7-4783-ba9b-bfff98219325",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-3753597f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: CPSSB4ODNNOXUXPaXrznW3jKaCViA5XJMIUfCdSr164Zl3rE4DaIvafRfxiNtM46GP9iOKo5UQuOJ8nl6LXDOBAipo-vFaNrFkI7kAh_9jW19q9-7L5rpv5xSSIcB8jrfrgwB966zc8KtjgTgXrE3oxkbTg60LCkPNlkWMjDaznlKQQHLJDNXu7E83sS3FIfZoBXiLuehqa-AYNeFIPMQIYcBpLGmGvPni-9EVG80mMZ4HdNtQa2aMKOUBfwXZisVmbyO2qGwPjfjVSgAJGX8wUVt4Uz8St_4O8hdL7RwQyJ-BrzTHQbt3ZzYXiet-nrKYwA8l5oIGsP7Hy9tSmnEUANWpZmboAkNc6qbxl1qfnfDxz-m80momRyAGFt7gBULvvnkYRiLJm-SQdm7dQFTbjpAUbjGA0aICT5k4KOLwQqR1iTm18jmA4NVWnAj0deEwdd46DkoI_-plbo6kpeSUD7NO1T2d_eLFOVRkha7G-fRiCaFDy2qRlBFaCd2RzEBce3UY5FG_QTn4jyWBZS0a6e2lwLpZcSuJ7wtOVGNRl8jV74VfybC60jV-XD82vjULLfdE7y",
+ "eventCategory": "Management",
+ "eventID": "0a4a4ee3-b1a7-4194-ab60-7465b4d5216e",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "59750908-8c42-4c10-b565-3427a5c9e8a2",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-751e5b81"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: CjrZQ3pjS8x41gRyVn1El8FK6p765IxIXyIqQRnIB_SfDAGSUpbxge9vshA3ll1RroDdvQSdsdV__Xg2WwzBoNuv7u-jnHv1H7K30GWcpYF459-XWgJX4dd7UpPYSbTER8yyz5EbkruXWoraLEsZEumgrAOhXqvBx9LdOgNlXcVn3KpofAndVdHt2qdkuQWBBtOMUTWfwg5S7MPZXrH3vcLaFiZ07n5FYJvrkInHNs1loQmLLWaTVnxOCqZjrdyhInF_ziEIFJnK4JAwkgeryGhNJN7KybjAbV80CVX6DazJ95aPze_8cqSBp2aPnBnaMUe4ftxFxOhglU6zXysDVeGSvwuKhFVJ5xxsZCAz4oUu9KWwdZx1_ufKxNkYWFVCv5cMbOyUeakUjFDalwpZYtCMW-Yi4wM6lR7uGA4uD_e2MnpAgXXnpQGnVz9-LQh_x2ceMDhkYjNq8omKnsUKDwYzIXrpzlz28T7iIlDg1CPoIKT1iQnCt6KP7RhciyEcuIHVCNtdB146CSNzdBVYUuTIfHp7pWsYUaFQXzeZpoqeNXBynb_LGlYexwGaq9ozpr5XgaU",
+ "eventCategory": "Management",
+ "eventID": "962d6fc2-b79e-4d8a-a7ab-36d72048c12e",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "8fa1c8fd-196a-4fbd-bab1-75f7c3e81de2",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-df55c340"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: ykssQBy7g1b7unmht52qJO9GqEuM9SZROkjhaP7a_XsSBjG5Sj0icyonTNZIsy7CQRd_hLUQNCGqq3oF2OfoVKGcZLCBe68vuBxZntrptcrIhXwHSuMadTIFiNo30KKEarrAdzXZGrjX9uVnR4CwRkYCqW-SjaKcGzXNen6kBffzqgwxqarePx8N-ogghgLxQ6BTIvOUmVV65LGkHYpfusv6nWqPrEqjg3DCHFD_hhs28eDHzWhwoly3mNff07K03YrFo9_l0gRPb1BTO7RBj2i__rbMeIFeZhnCy-8durAXqvCJ7MI4qEBh_hV6kpaJWV498NsGquTz6TOcY40En74o0novX2014oalF8bBqB8ZMGNGngBP_Dfomt_9g7hQGE6xH9eB9c_96CsB4BVw_hhMtzsKbLej201KxqoVh92RqDhFB3xldQh-TZ-IqxAHdRZKcdaLSFUCqUihk-eguiHfDWPT7QsmDZajE2A0-JiaXzGbadVofCb6dDQ8_KzbbMh2QKXltTW6XpbhKhaEaaTjQ_LTHdLLkirn2ft5vDCR4_uQWbqEV1FJI-Vtup2WB6GGFTM",
+ "eventCategory": "Management",
+ "eventID": "12b3736b-a8c7-4eaf-ae84-fa8dab5b5503",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "e9ac818a-e92c-4782-a26f-feb5555f1fe9",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-36d80d67"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: 3BD0zHY48CigR_ciFcRG14BzmH5vjQrT-QTgTppJiQ3ZWC5ZrnHzJJLNt4ddkfgHxuYlLAVYKkaY115GgvVQDWwjFH-cPsWOJc2G_a4GTJ8Znbv1aOkjTIKXYzxbO_KUS2szny9byykTkZ_SC41D-EENTd_WSdnuJGHuPghJOQzfd0D8PHoDLjObbikjQ4vfq1ewNinQXSZLNSoGs3DT0WikHe2uDVAaFHSwycFW8Bdp5y4bPVs-r6GxzoXN2JnEBxNUm7qtukD4J9-ymKfMtQwuLTcbjzb6r1gN5Jis_qDejUThSYK320IsCPJR9iR47yRyoS2Kuti6WhZ4CUjXv1-UhJpymDcM_g5i_NLQfnSy-T9qYXlj5kGSz_N9zF6jh0ZfmDsFyV_Avwov7bw6Jlgv922-ytF655M3skjZ31gf3-FScjt_sCzuKiaLTtHeSaZi4vTsHXtD-Gfl0W_BcZxTJeeJhuCzGyiLAhyXjIulmp4eWwuvBhuwPpkXIEbakpJ-pqx-rQVK9yp3NeqynD7tWeMtGQhiPl4lT1SsC1PBmJylWEimo560OKrRccI2JyXwKRE",
+ "eventCategory": "Management",
+ "eventID": "b6ed03db-7300-48b3-bdf4-b778a5c3e5a4",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "eea398fe-73d9-4393-ba25-ffe91a6858d1",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-2c3565b4"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "eventCategory": "Management",
+ "eventID": "cf589cd4-9633-4cc6-9b5c-c74f5a735fa5",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "01d3746c-667c-4cf6-a149-fa51a50c2024",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "roleSessionName": "aws-go-sdk-1722455550269043000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "accountId": "321848314756",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "assumedRoleId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA74KS09ZFFBFV9E6K",
+ "expiration": "Jul 31, 2024, 8:07:33 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEHwaCWV1LXdlc3QtMSJIMEYCIQCmhF6hCfgQLCpXs5BNl3rezFcbOnrGHnQQ2xB6Eq34EAIhAJ746oP8DFnMU4kXsp422uImBq/EJapr8M+mHdV1DiEhKqsCCGUQARoMNzUxMzUzMDQxMzEwIgyczM9FaW3yVZowQgYqiAJOiTvzjvenlc5TP/18RaNfoLXOEaHfdV/MFZYEk1kiPd484q+NXdLe5qUO1aCJul9Mqb8UcGm+3c0E30UgDEhZPuxHiYxJMh3YOl1sDL+lz1KlqzFvgwsnz/iK0hDTZJRsiVzlxC0+vZDO4zW/GeT00JaqvbL/ES9DUMpoeTYJP4IAC5kmKvaSQhOyUz3VrJil/ieY2yZJ8Rwys6ogwpyVW3qtjFn89U45gRQspXslHzw/agwq419KfqSCVhQo4eBdN8sxuPbtwNI2/2Jgm3dd1ar5bb5oukFGnFGqXGuloeJzKmIjvBEpLfI5S1ZpAZp10fQdTfCj9VSdtGt4to1q5l11NaTgyiowgayqtQY6nAFxeUTuFIMlUZNzZE9Zz+FK0cBpajKVxmCQ5VQZQopSB5eVyTadj52jy5eO0LBwmgBPebBOUU60m8aOaiSRmQQOgld7X0B0xJSWVtb7yGyH686vUQM1xIVAg3aCUTObuzPv0ku4fyksvv5SFXxCxT4N8x46PlYONgq3h4T42KeOii1slPrqf47Kkjic8Mx5ZbuGUEeVkWhQodhpn2g="
+ }
+ },
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "eventCategory": "Management",
+ "eventID": "eebae605-3664-4560-a248-17d33f9ef6ef",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "bf358b35-961d-4c8b-bcfd-82b647eb825c",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "roleSessionName": "aws-go-sdk-1722455550269043000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "accountId": "321848314756",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "assumedRoleId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "expiration": "Jul 31, 2024, 8:07:33 PM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEHwaCWV1LXdlc3QtMSJGMEQCIGtdAaKvKWRr68HA5EuufjSaCXHXZnVIFXtcysfmdV/qAiArZ3qZEA79pcSrcLFLCIuVD3dPLjHSDUSKnQM8ASuS+SqrAghlEAEaDDc1MTM1MzA0MTMxMCIMSyGMmjPPsflcyznaKogCyZDL1PjL7bbXv3wq5QAeiC+gwSjc7zIaP9DtuEOHE/xodo5IvKBkdc0AdddeBkITU6mSNeg93iEh40BGn2mjECaGWxZXoyqkODfyg5iPU/QWPdIEuXXU9h46o9ZOLxnO8Rc4rOiIAQK0Q4tq4BE9h28QsYmQqA/wby03DDQJUpVLY3kJe7PTx20aBv7nuzExo+a5zTzJnYKhl3tzeNxJSXQRjZkAlrQZmaqf9o3Ob/uY2VBPtCu//9yglgFcFmVGGG3O4VFbJgirnPteLpwNlz2+kWpcxqCFOk1LpPqVXxKggJgkXhGXe+M17hVGuJOCWKnsb24QCT4mTtskg4PiEZ+cojYR5N2yMIGsqrUGOp4BBBrc2If35t6Jl0TKlzbemFVrgT0JCaHP1/soUTSVYTuqjf+AbRdCrr08Onez3Htr20rkPlMJj08Gpo9B7MBc4Xc5RdhgaxBUDlLlYOtmGZfSF7Y9K3ZHT2UnT6sS4IMMQfwzhGIwRMT5TTK4pm6OEqPZ1ULl0rI8nWUIr29oLsKp+0iPpXIm09jp2f7fE1FOZqBP4nrSQjyWl/LpL44="
+ }
+ },
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::321848314756:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "eventCategory": "Management",
+ "eventID": "4cf5dad6-648f-48eb-85a7-6181c5d79424",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "4707e217-520c-4854-833e-179f3607230a",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "AccessDenied",
+ "errorMessage": "User: arn:aws:iam::321848314756:user/christophe is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "eventCategory": "Management",
+ "eventID": "67fa9341-bd06-4ceb-a8b8-6815522b5a1b",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "13c6f460-608a-487b-82df-9ad531b39a6f",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "AKIAMJ2320ZAXACWCPJI",
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:user/christophe",
+ "principalId": "AIDA2Q68JMYYLLXFIRZ7",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: LB7cA78q30t1tPsWTMLmstV2qcxGVIDbeIQlzeLa9H7MPbjgPAHNoi51kZZmZ33zYw4qbgTCuvrDtE0vGEZRfg3WOLD6RjgUu-S9h-hnkY4DsAaweKHsmLzpRYc1iZ69Re7Yghrc9uua92glqVFHOCjGSYgk3RuA6BTQMfJxYEc4Y1LVk-NXUEWwPki_ubaTquUUHUudZbS6yRuyUInvSIMlA6t1P3Adv0uKpnPCPjdJ9oeF8x7i3oL0WuSx7QVWW_p4fX5teDwqmm_O6wHslKfrCBaD56so68LXhYb1OoeTFsh5AmPX_jN5y_Xk7b5jdm-LmTNtmslSZ6Kaz30ThcPPsInsmOQYgrPeOCOixVHoKbedfYIb8V-KZsKhsryeFg5ap1Xo64XepKfWPEY2WsLWZpgOAJ6n9mlq6qVzsXb7XOvJ-rtaX4e6nRJczkf5oA3NCnKpUHckI0SW6mv0IeSmE79YKnD22mJ0Jk1mWQmu6Ojs03ijwK4bZAJ7KqgFd9OiGBiQHiYCYqLR6jhjr5Iw9z4r9Zu-Rk3L50nZ8Yodj9prBWQuGPapLAN-2zExiOPr3JI",
+ "eventCategory": "Management",
+ "eventID": "971a0ce7-1f66-4dba-918d-cd2a5b12ebe5",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "1d4bd0bb-0761-4c4e-9cf3-60eb78dc69be",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-eacdbb0b"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: VUo9HEgnkqejRmwZ981TtFTVCu8SFtMJJcOgZYlCFTsJTpYwp7FVaiOvMufhCY1iszVV-5YVWpcFtyZ3ygwVzqbJ4QStjDU_R92FtZMlO5oO-l-XVgaf8Z5JuyUs1ulVWrY25HY3Kt2L08win1DK-vtsE8-b4Ewe2-tDlTBHmKiR8mfUD3BO_fH73yhWkLoDD1s0Pa4hKv3auv5jGd-564yRXr0Rx_IGTFoi2hBTs5VN9-MQOc8VUlw-RMyZu-YT-dRajZ9TdH3VRvyGzLKuhrcu-fwBcXhUaHR99Z5HvPiQjRpvkMb9lth6oMpkMaZenHwm67D8l2xDca6-2GTMLatZbJZO43gibKowBQPku1aX_ji7KwMjK4qec-p0pwexuc7wfaxiej9lqGg3P0Zhf2Zv8wq_5mj0IP9oWc_RwS_MIWxMtYQ_oMfn5qd6w9DkGxikX0H0VvG5sGdwv6QYr9BJHPmJRqy6vb6RK9N9t3ZTdm8NqJGlInmdKYwXEWvyaPofwoj-BhZhfuDYXyMOgDBaA6aOncL3_H3kQsV0YWvAqIZiGQsjb8ivWAnY0MpPYK_69_c",
+ "eventCategory": "Management",
+ "eventID": "0ee61554-ac1d-4c40-abde-2ff51473f180",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "c32c0316-5ddb-441a-bbdb-aaf2a6b9e44f",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-66a17941"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: uOFPYQO23u4TQn2JQmg4tRDYkzz74KyWtOKizw8XEkx3-OWmistPtzU2fOb6WQoI3PW7pMHipebgFskL2-k__VUGSdmyNRkCBGyz4YAIBQ_aFO_WZZ5qC2FPxzQEtb6EB34yQ4Blutwafq-hERt2vxzyyVWU2sg7vZB-ydJSYkpb5vClj5OY0qTANhe58P7DtwcGhfrusetkwZ6Qyk52M3ctvCVHeFg-dPU5fFit7Tn9HmsQ7D9zCB-_vHErBqOl497_y-gXeRCdaO7brcVkZerWLQtbpSKWy9_i0WT1SvwQ4-cGbVvKinApvGtdYT-WlvrV3DWyPhdQzbSQJru8yQKAwmp4vshdSjvQ8T4B5VjdqOuflOsRuciuOrF_o_ZKiQYDOXrrAI-Mkd9LNCvwe-DAS60EUV1wQDFFJEXWg4e2_AX1IB5G0LQwbARXBoYrK4tZe5SY_aNp-vePaCjUDkvM7SXdSiMc2NCxSrRd7QVUdgp8uH2iHelrO_g2c9N5Yk6B5rdqVOIeVziuR575r9U2slnzaS_VDgAiAKekNsqltWp_cw5RPQqUBU6w_H0Le9wevYM",
+ "eventCategory": "Management",
+ "eventID": "3178929b-eb35-4a1b-b479-de1ca5187fb9",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "1b702f59-5907-4faf-9f33-a187407f03c3",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-4cb766e5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: Enl2ZFI8qzZz7FJbafChbyrAXg2YIjHajQvck025ERtfChE6SPPSWQgqVtk3hlhPmmXtygl2topFTLBMetoZpEkbrp12Jmy_tJvy8coKgQvYNRbwgexE1sgGHrFIR8lN-4kQFN8DwhrHJpJEnktXjp3resU01Or6e_LFeuTG64mgJd3586EywcHHGevMRLvK05jO0RMJqsg6b0cmKYpRUv2FxOKJhMCgGsiP4DhL3XGcXpfGKJ7HZnPG75uExMS35jH5ct2jTai8FEXolH0REk3zkQ5-siB6c-ZTim-4kzEf8NlVS5WMz4y224S-uZfzVCJF5V1tlpAAAcVDqXcCPPYnvDFCrAEvSHwVbz_J-4b0PsIwup0JrQjvO-Y_PCAlmEGdKqnjE6ByjPJ8t_kJ-1DbTZoQyBYxk9iy17MtSogtNbvheLUVRiWUfbFu-PGFNRrbsQLMveCKFWyDxohCcSIrt8wFZiHiW3GtSGcZEPGyIkx8J70WeW43xOdi2kqy2Qpy9IqDpI76QhdyOrq1I3w2mno52gIZ8DMcjteDEjpvpAVjBYQ7V61LAeV6sjkBlreXHcw",
+ "eventCategory": "Management",
+ "eventID": "66ffee8d-1866-43f6-b17e-4ffe3ddf8503",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "e58d7e06-a5eb-4a74-b8cd-d6f340b93b8f",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-346d369e"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: vdeCm58kZaHVcu0-M4yWQZUpPdeSvQM-HOZwlDrMda0wvu4tI52g4nlMc0Rr-8BzALqkpYMuU5gfkKjRboEAzaWBoLGR-MNnaDfrQoZRMHXd96e10UDh-IWDRcWvUGoS29l674DRl_WTDfwz5b021AAGHfMZS9NU1CXWZT3XvniJW0Q14EAovh_9HRYT0aQQqTBiF7M3KmaTaY4u1bCufp8Dx5zVbauuOnMDlXVAJhGHbSFCF8-ZzlK0D4kfdFboZSbIquw7xaMxjqD9LTBjl2K1g_2858Z41gZo4Km4lkjTPWXpoJtyYc3Fz3YSglZCutzv0CfWlDNziCj2SRPJeU0Y3Pro30Hczj_Z_knNWTauA_xr19CHjDRpmjab_BFA263eRFGZsZCFQXf1xlZBFSVvFEEBuo7hZ9USZ0hnoK3rq2njhNyDpefpqgIE8oWr82G0n9sqVVYj9TpX45obBsMHR-CXdnG5OsoQlrxl8-EjJYR2ugB6E3PhPFklgGf6Bj6I8P2tpQqqxGMHXcPlnj2tPoze4YzOlzrWhXi5aj7SuDoKgcYRm_R8WSKjUA1yBN7pFfI",
+ "eventCategory": "Management",
+ "eventID": "b307eaf9-2be2-44dd-b942-ce2bc8a3cc57",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "30ac0390-1bf8-41bc-af5b-a470776973f3",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-cee23f5f"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: VTgeZY1vPG9JN8RDG5_1wKNkdZA63luKUmEpRzFkvdZUvjd_rcKLffOZqwXDA20cPdJHu1l7vHPCLGfLM8Fb11o5jWDblvEI9qwX8qPQrLXY2_eOGXR8PLPa_uSLkcCKg4f38m_O0kz7Ss9Re9cvEKgSeD6ARS2Z3cN525WfqGuMCutpegkhku4TeuGzROO7rfPShnztzzxqtN0gdb4g7eIlfUIxEPSAhGChhW8eDQCetI3WtssEwXQYkzHd6-9YIHxW8yw8P3enNKq3QgT2oaVMeOzZAFJDn6QukrYhFXu0Tr12gRnBNRWRpP5fFIoSwoMvd2AAhBTSAdpZwIv4_sN-aCGmR7QVs6sywfgXgJTOd6bKFMcM5nFp_-D0ZV-u057MMLcBc_mhrNU3vLIZ5aWoPSHaSkSyk6LlUpPRiuoASfphMxGjbVCeof0r9chjZtEi9bJE0DaRvPqYQTj4Bumpp4EO8PP7xUJ5XPKiDdUwxRF1zy_9pxLFL7hkkmAr-AAEtoGqPAfX9BtVS_HgahYXdC7lNRuHmmYmmgcDbOuU5yaHcrBMcEbr6JJXapgvJZlhXtg",
+ "eventCategory": "Management",
+ "eventID": "205f694d-35d4-4e33-9f38-f5e7a20ffa50",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "add1b208-55c2-4f2d-8b7a-cd9aeb2b177a",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-1780bff0"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: nLsOD7QpVpUhY_D5_xjyMrx2F-tbtuHhu4c9a2WnPRM5-j5JMzduGPr7dEt-PwGW39koU0YG9NsH40_CiWm2POy8r3JRQWYpHy9YGMbIsk-lPk7u5BVYvDPhPswVHoxYQcubUkNE9MKzgUHD6--rhHlErfgmG-x3-E_x56A2qqvpJhCVEt5ZPDBpMsGDQBAA6sxgI13hiR9Vj3vXmokTk0pwl6VY_GWRTRGxoTSC0EnzwsbLMlyMrdnKcQOPOizQstA6FqAoKiwk3B1T36AMuZ3DFeFKBCwatonhnDeqVEp1HFs0v1qWqSPQ3CMcxFmVai0VlKB-gh24bJ2eYJSraA3XqkzMMpuXCsaP3gVvY50wV5AtbO6s2mcy2hFikUoH-J7VUkhnAUf5v1fW_M9n1MKJ3-JINpVmeMVWGKHy2hCtuV0nK5mckvWfo1pX1yGR7rC8hz8mdDUdMpaOydDrCIapx-NYuZqd_8SbaeetsrJu-EUK2YwLc4WocKHP3yW7OZlwkhUt4RvSpZqkiYJ-F-HZKLsQ4fs6Yr5qy2RiIepTENiSzuD5wI0iZW21XRS5DoYm",
+ "eventCategory": "Management",
+ "eventID": "330b18f1-2763-4429-acf9-7293a5604ef3",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "9df72845-fbec-4178-9713-adcbccb99499",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-42416187"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: x6ukywL8Prh8nVwqNu_jfGpoVhNz64Z2oWssU-lfo9LLvZgrVpP7_U8FCvEfahACLHt9q3SN5BHNoKIqpT6Nse1a8IDd5T5UFtN5NAbm-8IlIjrfta55z8CdeQuyYW8g4n4fdzLRFY7P-bCnEWRyA96Dj7dgYI0-3JwYfoxyD5LqbNAyZZzXs6HzhE-JC2cNtX7pAnJyY5iqd7yKcM4tQDl-A1paYlQXwmp9jeYbixy09q2yEWVn0GnmDZpc-1YJdX7-G9RWvGb55cgx6G6QwX_V8O3GlbUtJoy5L1yJF9VHSjpNGcUjC1_T6pZoOquGL6HC1P2j4oU_vvThGAuyJtZ5hlwZA313Jwfx-YoFU3kncWiw9IXtxpgc120lSkcUt46AE9Uc47TT8jzAbBJhhIeA1lw8eh89JNMPOrGx5pTVqnmHdC6mZ92mnS5Iae0oAXY-T406pDrEIkdXtv3cbMeuBUNGfvn3O6xteP0i0gZdNPhCPxkTEDZRF-EgQs3TD2TwWIdbcoVDpTvPbf74xNHaDBFtFmcW_TW0XwiisyiaM8Ho5VTvUUQohR-ForP1xTRupKo",
+ "eventCategory": "Management",
+ "eventID": "95da874e-1cbd-47df-bba6-26dd2ed9ad82",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "d94b9d47-13c6-46cf-a8c6-4d7a33d7b85c",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-68604a68"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "apiso-westcentral-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000 is not authorized to perform: ec2:DescribeInstanceAttribute on resource: arn:aws:ec2:apiso-westcentral-3r:321848314756:instance/* because no identity-based policy allows the ec2:DescribeInstanceAttribute action. Encoded authorization failure message: cfE6FKZ1sIRhbxBLmjIoehSeEmbpj_8jIPsfCPuACT9E_rFPauBJrhN3AIXtPobElUTbZgN33aeBcq_atGfmGm0miGiE4oW5CWSkQVTPR_f6bJd-5PHBgkv_Evot_3vhSyAyN1nKUAakmm_Ne9bkqWRYabIiS-XBNwhbA49faTNvYUuwjEZKCJbpnCI9ir6J_ijM7bmlE0UAdVKWzn26SSgvgV9C0ex-YJoFslO-85IYC_09Ar0piVJjpmvVR0q04uuHw_W57DWJYjIs8n_PYyaH9fhp794rgvDzdxorm4rFwIlZKaudBGmGg0VYtmQzNLsYFXEpMX42A72nhCdEHoxZoTCpLJFLVVl2l4Fiuieud-NQxn8clqRwIWitTKGxpzKUlrLDzYS0NMJwjSleSiBtS8wJ-4t3iB7Y42OP-XNKN2DquxpmT1yIurR0nykVlvZtCzXuUdH39Z8spGqxCPJgZwd9o0G1X2-IwiP4MNeWQzYM8ZjN4vLOgNZsP85gJnCQxZSk8Vfk6XlS550Zd113KMl05ej2nYOO5sDtQNXFYR0xN4fTaQSi6XHLgtuN1xmqFaU",
+ "eventCategory": "Management",
+ "eventID": "a7ca94eb-492f-41e9-b23d-e4875b795041",
+ "eventName": "DescribeInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-07-31T19:52:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "321848314756",
+ "requestID": "8e437f72-d5eb-4c0a-b391-dd8d7f59eefb",
+ "requestParameters": {
+ "attribute": "userData",
+ "instanceId": "i-0c140b58"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "255.18.064.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.apiso-westcentral-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f193d7d4-8114-40ff-acc9-a123d5463ff3",
+ "userIdentity": {
+ "accessKeyId": "ASIA4URVX2JM5MT0ZGK8",
+ "accountId": "321848314756",
+ "arn": "arn:aws:sts::321848314756:assumed-role/stratus-red-team-get-usr-data-role/aws-go-sdk-1722455550269043000",
+ "principalId": "AROAUF4S4NNXFP6WTHD73:aws-go-sdk-1722455550269043000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-07-31T19:52:33Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "321848314756",
+ "arn": "arn:aws:iam::321848314756:role/stratus-red-team-get-usr-data-role",
+ "principalId": "AROAUF4S4NNXFP6WTHD73",
+ "type": "Role",
+ "userName": "stratus-red-team-get-usr-data-role"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.execution.ec2-launch-unusual-instances.json b/docs/detonation-logs/aws.execution.ec2-launch-unusual-instances.json
new file mode 100644
index 000000000..c40036600
--- /dev/null
+++ b/docs/detonation-logs/aws.execution.ec2-launch-unusual-instances.json
@@ -0,0 +1,170 @@
+[
+ {
+ "awsRegion": "ca-south-3r",
+ "errorCode": "Client.UnauthorizedOperation",
+ "errorMessage": "You are not authorized to perform this operation. User: arn:aws:sts::751353041310:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000 is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:ca-south-3r:751353041310:instance/* because no identity-based policy allows the ec2:RunInstances action. Encoded authorization failure message: T-kSWIRFn32_fxSgyNzoE36avE5lRaRniAjDs-OdhlNgyecEbeTN_dCroUmnEqAbDOrevkgWv8iyUzs0XJxEDlAcgDztlJ-QPNokwAE1JUrWPZcLqpsuM6kK46d5jCUvmzpU_Egq-fML4ed58JHxMdyU4Iz1WGOb6S3W3FB5jghu3JqyDR1B8S8qHryW-e8H1ukHarLt7Ogr4rvYezZ3sf_DNCPDjCGLOSI75x4W0X4Wcl9B9eAuhG-hRbB8KG3e-15CmtpWvw5brndvmrK0sAKwOdcyI47AXNV1DKVLKBNjxwNSQB4knWTX00TASAtGZYroYLyadRTdjZO_CwPGIkcI7wiuAPwSJTrri9xF8zPb5ZJ-Zt4-fQRZoge3sWBFv_wRNOcdGXu8MidJV1ev4CJOpwygM9bO68S_ueU2u_MvKE_zRYrMzTYSMiBKpZGZBDiIZGOGOSzJK8aZ5_F0g5CzhI0IzBxBQh2QFLF0eZe6prRdYEnOZ33EDlaD68PhuyM5xFYzNATqG8UlMtNG7eE1XCMpAmLRAv8ZSnE0PUMrg-Z7RhLyIb3p37VxzKKQHVTdEarNtE22jp38CJ0uRZy5eiNmu-O3JMLeB-AuSYFFoGPtH6h2dH2uV4Fj27vJ4...",
+ "eventCategory": "Management",
+ "eventID": "1a4debbb-12e9-4bde-b8c7-ea29002bb2a7",
+ "eventName": "RunInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "900138736586",
+ "requestID": "b663854b-4ebf-4be3-8de0-9c5471904762",
+ "requestParameters": {
+ "blockDeviceMapping": {},
+ "clientToken": "5dd59182-3917-421c-9b2c-7c92954b66ee",
+ "disableApiStop": false,
+ "disableApiTermination": false,
+ "instanceType": "p2.xlarge",
+ "instancesSet": {
+ "items": [
+ {
+ "imageId": "ami-aCBbfd13bdb1d1E4b",
+ "maxCount": 10,
+ "minCount": 1
+ }
+ ]
+ },
+ "monitoring": {
+ "enabled": false
+ },
+ "subnetId": "subnet-0e540f0c7ffb48ae9"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "ASIA9F6MXE9HSYOXYQOS",
+ "accountId": "900138736586",
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "principalId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000",
+ "sessionContext": {
+ "attributes": {
+ "creationDate": "2024-08-01T11:30:22Z",
+ "mfaAuthenticated": "false"
+ },
+ "sessionIssuer": {
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "principalId": "AROA13YEHY3VAS32TD341",
+ "type": "Role",
+ "userName": "stratus-red-team-ec2lui-role-idtzskbvtd"
+ }
+ },
+ "type": "AssumedRole"
+ }
+ },
+ {
+ "awsRegion": "ca-south-3r",
+ "eventCategory": "Management",
+ "eventID": "04c882a5-7652-40d1-b44c-83535fc19268",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "900138736586",
+ "requestID": "a8b97cd6-132c-46e7-9305-85f2d79e683d",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "roleSessionName": "aws-go-sdk-1722511821294449000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "accountId": "900138736586",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "assumedRoleId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIA9F6MXE9HSYOXYQOS",
+ "expiration": "Aug 1, 2024, 11:45:22 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMSJHMEUCIAIdMlsYBfJVLlnMTTUWOX4q3BfLOExnAgLuv5b76q5RAiEA3rFHZ/bap4mdvcTC7M6IzJfWZCdc4Llq3T4CoB3kjXMqqwIIdRABGgw3NTEzNTMwNDEzMTAiDHSUIyjlokGN2fzZcSqIArg4qYntF5grAv0etPkJsxlQnWjCUv5vMvslbaJ/9UP6X8zGTXz/dMdMJ17JdXdn/uGPrJcOXQ6igyD8Wkir0sEb8+SDAm9G7t5xDwSJS5qVz2PTP9tVmUahaBQR5jafJxPh2n8dOSpRAdR8D6iqcfDfAx1afwF8tdjkwcvZvH/rOo7HOGa0xK7U72SryDHkTo5Sz0I3NpGgbC/XZ/q/zFDSfRj11nR/w5ifdLleh+UZrnuHXMU6w2qILZBkX3ucTTwwN8PX+gsXJRgsaVaErMMlGyGyxovJeNuGx7PmV9lAaFeZM2/ZXwQanV6iOmYhQHG3WLuRIz9WvpNYMKCRI2Kn2FuBNJHx/zDO4621BjqdAdOjSmz/25ePFDD5bJYmd21ZQRd4gFjMVSKor2E+SSl6sQ+lY+MOHKEIvID+Afbi66+MnSAHSPvrCpj7f9mkHZWgS4GVoSWXujEUvok1xV+Ef+B/dQE7CjWKqNXgtyEWgWMKI/gQZdKYsvcGAg6tz5qdmbicTRqTwJiLvUwpj5dFdGJeKedOR5P2r/TSV/GHhVjwTSzg7rBgLT8zIkI="
+ }
+ },
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "AKIAR7ISFR69YWROPYAN",
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:user/christophe",
+ "principalId": "AIDA32NEE582826ECMV4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-south-3r",
+ "eventCategory": "Management",
+ "eventID": "9a6353be-6cb8-4a0c-ab85-a46dbd3a2b71",
+ "eventName": "AssumeRole",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T11:30:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "900138736586",
+ "requestID": "7197a903-38a0-4e24-8683-dc858142b3c8",
+ "requestParameters": {
+ "durationSeconds": 900,
+ "roleArn": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "roleSessionName": "aws-go-sdk-1722511821294449000"
+ },
+ "resources": [
+ {
+ "ARN": "arn:aws:iam::900138736586:role/stratus-red-team-ec2lui-role-idtzskbvtd",
+ "accountId": "900138736586",
+ "type": "AWS::IAM::Role"
+ }
+ ],
+ "responseElements": {
+ "assumedRoleUser": {
+ "arn": "arn:aws:sts::900138736586:assumed-role/stratus-red-team-ec2lui-role-idtzskbvtd/aws-go-sdk-1722511821294449000",
+ "assumedRoleId": "AROA13YEHY3VAS32TD341:aws-go-sdk-1722511821294449000"
+ },
+ "credentials": {
+ "accessKeyId": "ASIAYY9090UIYYUOIF2U",
+ "expiration": "Aug 1, 2024, 11:45:21 AM",
+ "sessionToken": "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMSJHMEUCIFzpG0H/IrDX9P0i5y29VWSdkBXkBTwULxR2KkPh4ApdAiEAiHLNdMOheLhjTV5lDnR7oekWR9V+zoDdU90CcpsOup0qqwIIdRABGgw3NTEzNTMwNDEzMTAiDK3uxtzFnKLcVORn9iqIAqQXShn68h/gmprileycyOQFlWvnjmy3JfNIoxpWT7miaEUekUaAVn9qGLQal+2Hyz4mqucWSFP4WCbDL+e5iS1xSz+oMowhtVvThjHV1AmKqxhivS1aoPOsy/P+NrxOyWSPyKuxyOn4khyFjsqDKc221zk5OFx+FqU+77es30KeJT4tJuRzwly679cnX9uUq0Y57yuIaHfAPFVy10EBeajT9wjI2/K9QJCcqKsshspDBRORU5PYiGJnCrcXy2SmumtW6EvH23kIUxYXE+Jv6aTrSCqo1kQDUvP+xYIxBYKR4Kn4zcVZUTgZC3k+plWaRThN/tSfA0aI67O61NQCn/Y0UUL0+5j0kTDN4621BjqdAay4li3+cvLrvgpNdyIMex2CAQbDOKEDCKe00MpLPka3vIDPDANof9D9SPJaynXl7b3t+fKxhMRo8MGyh/37wYhrD26qPAzbFA+Av75KyjEigzAsEyBYhi1Ix2nIYjm9jei10p0yiH1QSGerutzp1UQanzfgyzMpAtVJzy99kRFVKHE8j/rP5jc+iZFNdcDvYbs0tl9bP7kUFNDlVXg="
+ }
+ },
+ "sourceIPAddress": "06.237.252.245",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ca-south-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_c8ff220a-7e52-429b-868f-d979123ed2d3",
+ "userIdentity": {
+ "accessKeyId": "AKIAR7ISFR69YWROPYAN",
+ "accountId": "900138736586",
+ "arn": "arn:aws:iam::900138736586:user/christophe",
+ "principalId": "AIDA32NEE582826ECMV4",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.execution.ec2-user-data.json b/docs/detonation-logs/aws.execution.ec2-user-data.json
new file mode 100644
index 000000000..aac95204b
--- /dev/null
+++ b/docs/detonation-logs/aws.execution.ec2-user-data.json
@@ -0,0 +1,1432 @@
+[
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "759fa0d5-d7d6-4de3-97f0-c469d1a0f92c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "a9c78483-c047-4215-94c6-89794dd3b44e",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "914d32bb-067a-413c-adb1-cc8c4600261c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "977121cb-f370-439d-9aa3-5dea3af27c6a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "b38fe645-91d4-404b-8d64-024a6f7e00cd",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "fff5f8d6-d152-4d32-913e-a5fedaa6aa2f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "55e470c0-611d-4549-ad87-a7c830a75063",
+ "eventName": "StartInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "0c9bbf8a-a6f6-4e64-8396-78017a647f26",
+ "requestParameters": {
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": {
+ "instancesSet": {
+ "items": [
+ {
+ "currentState": {
+ "code": 0,
+ "name": "pending"
+ },
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "previousState": {
+ "code": 80,
+ "name": "stopped"
+ }
+ }
+ ]
+ },
+ "requestId": "0c9bbf8a-a6f6-4e64-8396-78017a647f26"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "9e6d9e21-0c9c-49f7-b2b6-59c863d7a6a3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2ff3ad22-ffc2-4926-bbdd-15356ec9bd4a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "f634894e-d625-4b7b-b1c1-50354cc1100e",
+ "eventName": "ModifyInstanceAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "5c0d7f09-a80a-4313-b848-bc858fa4a8ad",
+ "requestParameters": {
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "userData": "\u003csensitiveDataRemoved\u003e"
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "5c0d7f09-a80a-4313-b848-bc858fa4a8ad"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8730ad3a-d87e-4463-aaba-d600442be64c",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "4ddaaecc-3c8d-420f-8646-977ad02fbbe5",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "50019cea-afa8-4dc4-b61d-b9454e6d2aba",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "277adb54-968d-4460-aeaa-a59d65139225",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "ae0d4f37-4d8c-49e1-ab78-2c7157ffc9d3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "b38aa588-4cc4-4279-8117-2d1d06d8ff1f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "daeb8d2a-a83b-4a37-8ba3-e60b3d0b69d1",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "e1ae237b-0241-4999-be50-44fd16f7e368",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "c751234f-ec7b-40d7-af60-188d8749b08f",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "398556fa-3fe5-4872-9d6f-a994e54731ed",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "bed3162f-6f64-4f6f-b08b-78d3ac9b9066",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6e302813-c59e-49bc-ba23-89109cd64119",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "42d2c954-4b4c-4889-ad26-80796fe87025",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "8e3e3e2d-9593-442e-b8e5-335362f0a5df",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "2a1cbb02-88fd-4405-90f8-7d5bcb65b0f3",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6d4d0e20-28c5-4bb0-90f2-57dfdc42aeab",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "56b0bf8c-92fe-460c-aaa6-ba5b9d816bea",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "a5ae54e8-dbcc-498c-ba6c-b7caff1d8302",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "5e44de78-52a2-4d5b-9b85-715f68110d00",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:04:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6a7b7a28-eaa1-4a78-b7db-d5eb9b687773",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7d0f96bf-ca3b-4bb6-b9ea-2cb20cbd3f64",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "21738dd4-cde5-4783-a4d9-341ffbb3d0f0",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "10469acd-d180-4b62-a768-15726f788cf6",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "cf1342c3-7142-4ce3-ace0-c3d6cb8ef53d",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "273a42f8-7c86-43f9-aabd-a698d0c5931a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "3d41ca74-ae92-45de-ab0e-3c7ad6a38c24",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "b788f6c8-3155-4d3b-ac7d-9fd49e6be119",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "bf4fb83d-1fea-48c5-ab76-8914ce05ade1",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8ced3c60-7e3a-447a-9abe-c80ea783e54a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2ff0ddac-4e87-448d-817e-5ec5e0d62ffa",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "933be44e-6ef0-44f6-a64b-99f067a71cd8",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "5bc0fc4e-a4fc-40b9-8a28-621a02c58e55",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7eba0527-9926-4c43-8670-a4a1d2b8a466",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "6434fc93-d1b5-44f6-9d82-5323e1059b23",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7a03fd83-ae64-41b4-b109-f672ccf01377",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "1758f71e-47d0-4fa3-9875-315bc7183bb3",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "e787e1ad-fa7c-4b91-9587-9beffd68488a",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "e9c76e24-ef65-4fdc-b30e-145643c6913a",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "40afc14c-3dd8-4195-b4d3-89f1173d368f",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "ed3889da-12fc-434b-8e5d-5bcf122b46fe",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8bc46582-5202-4857-879e-b57a94862895",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "1b8980f2-0a5e-4e6a-8a5a-82a4982d4a36",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7470d5b5-0e71-4bd2-9809-8b8e9499b8e2",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:40Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "2d9bbbbf-86ab-4e36-8f44-66b9cc568571",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "570ab1e6-8222-4db2-a688-6c1a37cc9968",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "33647962-fb50-4bc9-9465-13d237860e4f",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "9ed4f1c7-607c-4c88-bcb6-053a03fd30cc",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "88449386-205f-4091-b667-5b9efc5ce256",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "7c46e00c-5eba-40c4-8a5c-3788c10af6fd",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "40f0177a-b1a4-44a4-b6c5-87fd9e44849e",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "4edfbd95-32ab-4abc-9b07-5e371a9af5da",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "cc43b6de-04d9-4435-9ecc-46a575b0950d",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "8ffd8499-55e5-4487-b1c8-f73ab389db84",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:32Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "0a967e8c-b6ed-4870-aec5-edca45b2e00c",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "bfdbd679-9ac4-41e0-84f6-2be3ac12d3e5",
+ "eventName": "DescribeInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "309303190113",
+ "requestID": "14975c6a-e0f8-4abf-b731-5a21a8249464",
+ "requestParameters": {
+ "filterSet": {},
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": null,
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ca-northsouth-2r",
+ "eventCategory": "Management",
+ "eventID": "d373b5dd-6a82-439d-bdcf-4e6c7c7a9292",
+ "eventName": "StopInstances",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:03:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "309303190113",
+ "requestID": "088dba72-717e-4502-a3c5-5c95f22f87c1",
+ "requestParameters": {
+ "force": true,
+ "instancesSet": {
+ "items": [
+ {
+ "instanceId": "i-DDd6c7B0e18F0E35f"
+ }
+ ]
+ }
+ },
+ "responseElements": {
+ "instancesSet": {
+ "items": [
+ {
+ "currentState": {
+ "code": 64,
+ "name": "stopping"
+ },
+ "instanceId": "i-DDd6c7B0e18F0E35f",
+ "previousState": {
+ "code": 16,
+ "name": "running"
+ }
+ }
+ ]
+ },
+ "requestId": "088dba72-717e-4502-a3c5-5c95f22f87c1"
+ },
+ "sourceIPAddress": "251.228.255.218",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.ca-northsouth-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_54d79918-8729-4201-83e6-6a600173b8e3",
+ "userIdentity": {
+ "accessKeyId": "AKIAZI86ACIZ2J9CV86Z",
+ "accountId": "309303190113",
+ "arn": "arn:aws:iam::309303190113:user/christophe",
+ "principalId": "AIDAV0KQ3LIBUIGZ52WB",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.execution.ssm-send-command.json b/docs/detonation-logs/aws.execution.ssm-send-command.json
new file mode 100644
index 000000000..341009014
--- /dev/null
+++ b/docs/detonation-logs/aws.execution.ssm-send-command.json
@@ -0,0 +1,2368 @@
+[
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "4723aee9-d1e5-4e32-b48c-0ec39a6d84ea",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:27Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6edac2c5-52c8-4de5-9d8f-2d1bdc2f9e8b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bbef7fa1-ec6b-42ca-ae50-a95610fc81d3",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:26Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "083a9fde-def5-4328-bbab-1bd8b0c137cb",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d6738500-de0a-4a7d-af41-c42225b1d627",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:23Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "cdf0af8d-32e8-4094-b5ad-0ad6aa898a2b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "5ceab743-d517-46d5-b162-bf881ae0be0c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "b48c0a2a-5c9b-4bd9-9e2a-74c84a55aefe",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "df4e2a35-15df-4329-9b51-f260dcefba7b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:19Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "fe3cc368-5dd9-4629-8db6-966b9b396005",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "414a9a7c-01f3-4acc-9b55-bf1f677e3a54",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6425b4c5-5688-4d8f-8165-cf0b565cdb72",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2c1e26d1-6685-4640-ba79-81149872d066",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0ea54e95-cde4-4aec-9ef3-d28f44594966",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "a4ca6ef1-b00e-476a-8dcf-6b1b2e75b335",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0c49d64c-5995-485c-930f-fbb3fcda42ab",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2b3aacaa-3e89-405c-b53b-f99a0555661d",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "2abe2e44-53f2-4207-825e-dc569c2be9f5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2610da37-3b46-48b2-82b3-59e0c77c9db0",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c2320169-a590-4aa4-bfbe-73d0eef783fa",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "04151503-f5e2-4356-abdd-14b08e2285ef",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "61a85904-a3b8-4dd6-aaef-2efd548cf9ae",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "898fc3e2-242e-48f1-a560-8b835d90bdee",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "8931849b-3dbb-440f-ac27-1fb5d4890d3b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "411687aa-d840-40f7-ae31-adb0619c0401",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:09Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "003bfa5a-ef20-46b7-bf79-8a11a49ab14e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ff20ced4-0e3c-42a7-9ed9-f32cd2cbb672",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0234c68e-9ebe-4fc5-81ab-798de9bdc451",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e0643796-b464-4e13-8680-00c6dc57ef72",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:07Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "1543ba41-1625-45c3-8f4f-ab5463d68b02",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1540ea9a-4d6b-45b5-b84d-e9711e7801fb",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0e53ee03-5e82-4bcc-80fe-1f5929260121",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0d989ab9-09ae-44c4-9dc8-3f3c9aa4f4b1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "cdea3227-f206-4316-8ba4-980b36f6124a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ab4521b5-0b95-4e01-bc57-9124138b6d07",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "581d7a02-356c-4b34-88ff-0570f6fb1d2b",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "150f7722-557f-47a7-849c-5c44cba78e2e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "3674ec77-adc1-4474-aad5-a1a6fed8b8d4",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "c68a4a51-cfc2-490d-86da-f0aff1e000e6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "ab1a6ced-43d6-459c-b67b-6c1acb255fd8",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2582b47b-76b8-4eb4-a455-9f97b000d38a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:00Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "fe6366b5-7c41-4a98-ab58-fa895d8d71f8",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "aa35aa1c-1989-4beb-a540-2a47b88a2119",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:07:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "7c848a81-1e4b-4457-a067-ede23efb8f96",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0d86f878-d8c0-475c-8079-2a1243666e45",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:07:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "914d4883-5725-4059-bf32-8b240cd2be40",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bab0e5ba-5a43-467d-9460-dd801d9e9ad8",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "55198b26-f77b-4ef8-9259-bb347696f512",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-9D40CCFc0aE91CFa5"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "b2c7717c-e542-422f-a78d-590536c174cb",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "3a1aa185-9cc4-4d58-933c-c2a6ad37c730",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-00456A8D163f546Ff"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e0b17230-9c13-482a-a0f0-d93c6bd4fb8e",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:09:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "dd526977-54b5-4951-bdb4-b9e542af402b",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-cfE23b1a7ceba6f86"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "5288bfb8-e3fa-4c41-be02-6853521afe8b",
+ "eventName": "SendCommand",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "056392974792",
+ "requestID": "1479b5e1-9751-4bf1-b548-cdd8108e85a6",
+ "requestParameters": {
+ "documentName": "AWS-RunShellScript",
+ "instanceIds": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ],
+ "interactive": false,
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ },
+ "responseElements": {
+ "command": {
+ "alarmConfiguration": {
+ "alarms": [],
+ "ignorePollAlarmFailure": false
+ },
+ "clientName": "",
+ "clientSourceId": "",
+ "cloudWatchOutputConfig": {
+ "cloudWatchLogGroupName": "",
+ "cloudWatchOutputEnabled": false
+ },
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "comment": "",
+ "completedCount": 0,
+ "deliveryTimedOutCount": 0,
+ "documentName": "AWS-RunShellScript",
+ "documentVersion": "$DEFAULT",
+ "errorCount": 0,
+ "expiresAfter": "Aug 2, 2024, 11:08:56 AM",
+ "hasCancelCommandSignature": false,
+ "hasSendCommandSignature": false,
+ "instanceIds": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ],
+ "interactive": false,
+ "maxConcurrency": "50",
+ "maxErrors": "0",
+ "notificationConfig": {
+ "notificationArn": "",
+ "notificationEvents": [],
+ "notificationType": ""
+ },
+ "outputS3BucketName": "",
+ "outputS3KeyPrefix": "",
+ "outputS3Region": "sagov-westsouth-1r",
+ "parameters": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "requestedDateTime": "Aug 2, 2024, 9:08:56 AM",
+ "serviceRole": "",
+ "status": "Pending",
+ "statusDetails": "Pending",
+ "targetCount": 3,
+ "targets": [],
+ "timeoutSeconds": 3600,
+ "triggeredAlarms": []
+ }
+ },
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "8e1d1d98-6f88-4ce9-8e62-c1ec1a598408",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5e34f5e1-11f1-481f-a435-c6124bd640d2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e470e8f0-fbf0-42c1-a751-b271929bfa22",
+ "eventName": "GetCommandInvocation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c6b8d64a-b975-4306-a8ac-17671377c2af",
+ "requestParameters": {
+ "commandId": "4e973221-443e-4a56-a0b4-1cb3c7923fc3",
+ "instanceId": "i-00456A8D163f546Ff"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ad342d3d-e850-41c3-b3a6-3e5cf0b382d3",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "6fd7d6fe-4452-462c-bf9c-c93daec119d6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "486ae737-1798-4c36-a90a-20d61f22d678",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4dd32dc2-26bc-4d9a-a469-56c65a55f45e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6643948a-9472-4f72-b1ff-8ddcfedca235",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0605e0fd-df0a-493a-a915-832b50c17164",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "cd49199d-ffdc-46bf-acae-e6c6d73e215a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:51Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "65bc968b-731a-4dd5-93aa-3bfebcf16f85",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "53407d54-9944-4317-a20f-d9a52c2a35ee",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "80ee2eb6-d794-4ac3-b2fb-6b9b40936d61",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6f1a2b4e-89a5-43f0-8ef4-6f3ecd9e04dc",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5a765f60-eddc-4efe-bb7f-57b018f5c76a",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "fdcf7d26-3ffb-4e35-8534-933b6ced55b5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:48Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "42651f04-5238-4f63-889b-bee7734d29e0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1a5374a3-1223-46dc-b3c4-a0336179f22b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:46Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "f12f2209-52ba-4064-8e48-45a70ed55437",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1fc0903a-bdd5-4a31-a15e-84efb05530dd",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:45Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "54a4713e-2480-4b3c-95de-ffa6f061f6db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "b43fdb25-5caf-4203-b2f4-5fd4d40344b0",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:44Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c2342054-aa38-41f4-b1b9-702828726730",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "97a253c0-5e84-4d78-8412-a420695ba4dc",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:43Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "398704b7-2c17-4cb2-8efb-f27ef8f775fe",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e4be349d-0420-4ee9-b8da-7f8b76c4d883",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:42Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "5db544de-5064-4bf2-ba19-ea2a882281bc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "55b6e5a7-e4e8-4b81-b822-75905525c193",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "2654285f-1d76-4224-9224-4a3968f16a3f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "c0679959-5bf1-4aaf-9f78-f436c35da4b2",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "1545c090-8ecf-4cae-9db0-a2da1e103f23",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "bf330a73-3600-4a88-a3c9-837c82fd6431",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:38Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "409166a6-71c7-4a1c-b1dd-7972ec637a0c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d303c923-1ad3-4333-a78c-5ba0d713df14",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:37Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "29eb2c6a-3d0a-4b1c-b643-ad80f5faee5f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "7cf67dfd-fedc-4494-acbe-3fab7e1808a1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:36Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "9525e5ee-669c-40a2-a8d2-33cebb0ee895",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "e666a3d4-db2f-4ac2-b0ba-63531a949154",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:35Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "34ea6034-0028-46cd-94f5-54ffb4c5ba02",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "ff0452d7-bef3-47ba-b641-e4b10f50f3c4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:34Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "135ea4ff-0e59-4771-b541-326b904dfd70",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "2253ede9-2382-41fa-8302-b25ecf0f11ac",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:33Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "0c664d14-0f8b-44da-896d-80b7dae05a2c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "9b6c78ee-98ba-4ddd-9dae-aa4d3a57e89c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:31Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "f55872e1-6dad-42be-a18d-c7bd64ef9f6d",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "1ac28c35-ee6f-41a4-97bd-ae8e44363660",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:30Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "c274e01e-2045-4415-bd71-c8744107618e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "d3471df2-fc63-479b-9920-4ac3c9c32357",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:29Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "00d4a58a-00a8-4116-b391-beaa8aa1c0db",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "0745f3f1-b181-4395-a2dc-243becae570e",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4b2f5fd6-3620-4aa7-bf3e-7da9d27bec85",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "804c4178-75cd-4d83-b04f-960f47961a75",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:24Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "bec61003-0f60-45c0-9256-116efb6d15aa",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "73518501-d83c-4d7e-8dbd-2154928d76f7",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "4c950f64-59ff-4fce-9a69-32ef10f96872",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-westsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "6e3e5c56-66d8-4e23-9a89-8498651357d5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-02T09:08:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "056392974792",
+ "requestID": "8c004773-45de-49ee-aab8-44a83effbfd6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-00456A8D163f546Ff",
+ "i-cfE23b1a7ceba6f86",
+ "i-9D40CCFc0aE91CFa5"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.252.51.07",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.sagov-westsouth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ea782787-a65d-4fc4-9fca-1c97869a9a25",
+ "userIdentity": {
+ "accessKeyId": "AKIAW9X2Q2U25SK79UCX",
+ "accountId": "056392974792",
+ "arn": "arn:aws:iam::056392974792:user/christophe",
+ "principalId": "AIDA10CZIPPG73T21TDI",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.execution.ssm-start-session.json b/docs/detonation-logs/aws.execution.ssm-start-session.json
new file mode 100644
index 000000000..5aae7c720
--- /dev/null
+++ b/docs/detonation-logs/aws.execution.ssm-start-session.json
@@ -0,0 +1,1184 @@
+[
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "ab04bb55-b6d5-492b-8697-9d11867c6c43",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "c98780a2-d6a4-4114-91b0-a28a2a0842b3",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "5ccb707e-ea1c-4ae5-acb1-2039ca8908ec",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:15Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "089ef7a1-3dd7-4b8c-a59d-d169df9b4316",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "75d83a2a-99a3-4808-ade4-fe692446096b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:14Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "9d1129f2-f619-4690-bab2-b097875b913f",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "9a3b3ce3-c139-46e2-be9b-920f6c670c42",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:12Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "45eb28df-eda5-4b72-8e11-3b37679681a0",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "b8a73842-fae3-40a9-85b3-515a1a07d582",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:11Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "cb435a50-9023-4ded-a904-6f448738ee31",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "554070cc-5bc1-4894-9880-c75a15ac78a2",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:10Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "8eb080f2-3c5d-447c-bad2-d4ceebe8bfd2",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "6844ea57-f22c-42e1-ae5b-709d8fc2c36b",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:09Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "84c1b5d3-c365-469c-917b-cc317aed7d43",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "913f3327-0ef4-4acb-a3a2-325ddcbda947",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:08Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "1b58a0d1-b841-4234-ad41-25faee08b985",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "b045bced-b93a-4e6c-a1b8-2011fe92b93a",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "ab3f6858-2db0-413f-9b21-09997a048505",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "0f520fea-16a0-459f-bf72-21efd8457cb1",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:05Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "6ca20f16-71aa-4794-8884-36989a3b7bc6",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "9546b899-0954-4c25-bbfb-a588f2a072c6",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:04Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "ec65f81b-3145-4abd-a992-1de519835cad",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "4ddacdbc-fba5-4298-9f8d-90b7ab937844",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:03Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "270fe471-7761-411c-a5c8-8aef5d50b090",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "26e75a55-97b5-4ec0-a061-74460a26659d",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "9f172d90-39e1-46ba-9271-e18d349f22ff",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "f25d2e8c-bf82-4cb5-9a80-a72bd83d85cf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:01Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "0d98546c-6b0b-4d0c-a73c-68059eb76792",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "fd5300fb-d315-4ed3-b9e7-ca1b92a5d394",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:59Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "44bae06a-b763-4952-8832-41fc6ad7302c",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "22af1364-f2e4-41eb-bb18-f1738e807acf",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:58Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "af97f2a9-e028-4735-a6c6-9124b6679d5d",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "12794adb-6096-4389-9756-e98a5dca6d67",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "b3335448-07b5-4095-982d-b1b34a832ec5",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "19e72b5f-adba-48cc-ab37-53756ed926d5",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:56Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "a057578e-d65b-43a5-bb03-9914d7e1d069",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a5578e6e-e935-4b5f-9d9e-7af60f7999e4",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:54Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "8ea8e04e-b423-4651-878a-c81a60213c16",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a7175b36-d81e-4865-be81-212ca57308df",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:53Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "09a037ea-6fe5-4df3-bfeb-62c2de373b83",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "5bdf2db7-edd7-42cd-82f1-ee0196606656",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:52Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "6fb104db-448f-4055-b30c-c72cdc9cabcc",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "03ba7d84-509a-4bb9-bc48-959aa989b5ff",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:50Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "796082ea-1ed9-422e-8316-c8696499cd1e",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "a29037ea-ed15-4025-9a54-ff70f11ca95c",
+ "eventName": "DescribeInstanceInformation",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:18:49Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "294599468799",
+ "requestID": "5f7f7d07-7c66-41aa-8fb8-dacd955626df",
+ "requestParameters": {
+ "filters": [
+ {
+ "key": "InstanceIds",
+ "values": [
+ "i-d3720C7af6fCfF2B2",
+ "i-d0b6DCBA8984dE148",
+ "i-eA1d1296c1dE3Aa1f"
+ ]
+ }
+ ]
+ },
+ "responseElements": null,
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "f8f0460c-476b-42b7-9cfb-cd6345e2aad1",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:18Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "9147312c-7312-46d4-aa91-798728055424",
+ "requestParameters": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u"
+ },
+ "responseElements": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "8086b250-d29c-4659-9aec-86c8446a3895",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "d81b3311-b5aa-4782-ab43-c7af5e237aee",
+ "requestParameters": {
+ "target": "i-eA1d1296c1dE3Aa1f"
+ },
+ "responseElements": {
+ "sessionId": "christophe-wzleysigzmbd6fmkefjqvt5w4u",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-wzleysigzmbd6fmkefjqvt5w4u?role=publish_subscribe\u0026cell-number=AAEAAbIWRNYnEkrB64bhGiedJQR3zYzBwUJyTNxc854+f3IBAAAAAGarfUW5QwfI91t6LkgX/EqdDx6EluDPvaUGK2bMPeDUpZ8JCNDVkDD7",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "131c198f-7042-4c88-be71-545471d55f4c",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "577db5d7-12b4-49a6-87eb-6ea2890065bd",
+ "requestParameters": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e"
+ },
+ "responseElements": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "10057a87-1da5-4c7d-a411-e41543dc91f5",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "5cc369d7-d3e9-41e0-a677-14e8c9c18c8e",
+ "requestParameters": {
+ "target": "i-d0b6DCBA8984dE148"
+ },
+ "responseElements": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-s7uathgenk3m4qa2s33wio5gpu?role=publish_subscribe\u0026cell-number=AAEAASNZon/688w6/ZL2nfwe5JxliimfvbKltR2/CMq9mU3DAAAAAGarfUU7baqkmRTOTruWRhsNBxa9VYTF4cuEPM/a0XdVPGUYQNU1KAa3",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "60fd77a0-1ce9-40a1-b24b-0a598a169de9",
+ "eventName": "TerminateSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:17Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "ca9f1a4d-f89b-468d-9858-8e628165c8e7",
+ "requestParameters": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu"
+ },
+ "responseElements": {
+ "sessionId": "christophe-s7uathgenk3m4qa2s33wio5gpu"
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "me-northwest-3r",
+ "eventCategory": "Management",
+ "eventID": "32e8a07f-4751-4081-882e-958a25231c56",
+ "eventName": "StartSession",
+ "eventSource": "ssm.amazonaws.com",
+ "eventTime": "2024-08-01T12:19:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "294599468799",
+ "requestID": "bfa7688d-0e78-4252-b5f6-1a445c82f109",
+ "requestParameters": {
+ "target": "i-d3720C7af6fCfF2B2"
+ },
+ "responseElements": {
+ "sessionId": "christophe-bkqs75qpcrtlxk5paaytrydm2e",
+ "streamUrl": "wss://ssmmessages.me-northwest-3r.amazonaws.com/v1/data-channel/christophe-bkqs75qpcrtlxk5paaytrydm2e?role=publish_subscribe\u0026cell-number=AAEAAeHX0bqbU5dmbfb/NJVjO7TQopSahDHtyQVUjSI6yFXSAAAAAGarfUSzqvoBC+mhEuJQf0+1Y3iTcwzVAhL1LviE3BBll/7GdCowEhwg",
+ "tokenValue": "Value hidden due to security reasons."
+ },
+ "sourceIPAddress": "254.222.242.236",
+ "tlsDetails": {
+ "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "clientProvidedHostHeader": "ssm.me-northwest-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.2"
+ },
+ "userAgent": "stratus-red-team_ae66c4b1-50c7-490d-b027-3a699952bd6a",
+ "userIdentity": {
+ "accessKeyId": "AKIA4HNRH6OJUWNZ893Z",
+ "accountId": "294599468799",
+ "arn": "arn:aws:iam::294599468799:user/christophe",
+ "principalId": "AIDAH36QPLPPPZVXSD3V",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.exfiltration.ec2-security-group-open-port-22-ingress.json b/docs/detonation-logs/aws.exfiltration.ec2-security-group-open-port-22-ingress.json
new file mode 100644
index 000000000..b31dfd8de
--- /dev/null
+++ b/docs/detonation-logs/aws.exfiltration.ec2-security-group-open-port-22-ingress.json
@@ -0,0 +1,57 @@
+[
+ {
+ "awsRegion": "us-northeast-1r",
+ "eventCategory": "Management",
+ "eventID": "9fd68588-ecbf-4528-a345-199fa6bb0821",
+ "eventName": "AuthorizeSecurityGroupIngress",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:23:55Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "032092706103",
+ "requestID": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
+ "requestParameters": {
+ "cidrIp": "208.236.235.254/0",
+ "fromPort": 22,
+ "groupId": "sg-003dc7f1f1c686164",
+ "ipPermissions": {},
+ "ipProtocol": "tcp",
+ "toPort": 22
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "dc1dabbf-d7cb-4966-a3de-ac69d5cfc633",
+ "securityGroupRuleSet": {
+ "items": [
+ {
+ "cidrIpv4": "208.236.235.254/0",
+ "fromPort": 22,
+ "groupId": "sg-003dc7f1f1c686164",
+ "groupOwnerId": "032092706103",
+ "ipProtocol": "tcp",
+ "isEgress": false,
+ "securityGroupRuleId": "sgr-09b3e3d2ca1edf2a2",
+ "toPort": 22
+ }
+ ]
+ }
+ },
+ "sourceIPAddress": "253.243.215.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.us-northeast-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_1004a4ff-b486-4981-a84b-6322905f37cc",
+ "userIdentity": {
+ "accessKeyId": "AKIAXW7UJ577KFYIAHIM",
+ "accountId": "032092706103",
+ "arn": "arn:aws:iam::032092706103:user/christophe",
+ "principalId": "AIDAQ5Y2TGCDATQV6SRP",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.exfiltration.ec2-share-ami.json b/docs/detonation-logs/aws.exfiltration.ec2-share-ami.json
new file mode 100644
index 000000000..803565971
--- /dev/null
+++ b/docs/detonation-logs/aws.exfiltration.ec2-share-ami.json
@@ -0,0 +1,48 @@
+[
+ {
+ "awsRegion": "me-south-1r",
+ "eventCategory": "Management",
+ "eventID": "1f00bcfa-e050-4c2e-b99b-768ebe3a3dd3",
+ "eventName": "ModifyImageAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:25:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "118238665043",
+ "requestID": "dd81ae39-a261-4e85-87a4-01fe22abc602",
+ "requestParameters": {
+ "attributeType": "launchPermission",
+ "imageId": "ami-de1fbCab6ccB03e6D",
+ "launchPermission": {
+ "add": {
+ "items": [
+ {
+ "userId": "846424999548"
+ }
+ ]
+ }
+ }
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "dd81ae39-a261-4e85-87a4-01fe22abc602"
+ },
+ "sourceIPAddress": "253.19.58.252",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.me-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a532baf6-7731-4c0f-b089-48508276f787",
+ "userIdentity": {
+ "accessKeyId": "AKIA40XZ2OQU8R4QKTAC",
+ "accountId": "118238665043",
+ "arn": "arn:aws:iam::118238665043:user/christophe",
+ "principalId": "AIDAYO61EC4B4W5G6BXN",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.exfiltration.ec2-share-ebs-snapshot.json b/docs/detonation-logs/aws.exfiltration.ec2-share-ebs-snapshot.json
new file mode 100644
index 000000000..18b941d08
--- /dev/null
+++ b/docs/detonation-logs/aws.exfiltration.ec2-share-ebs-snapshot.json
@@ -0,0 +1,48 @@
+[
+ {
+ "awsRegion": "me-central-3r",
+ "eventCategory": "Management",
+ "eventID": "6897ff63-d738-445c-9e86-43e5b1f8e12f",
+ "eventName": "ModifySnapshotAttribute",
+ "eventSource": "ec2.amazonaws.com",
+ "eventTime": "2024-08-01T12:28:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "756680937392",
+ "requestID": "aeddc4a7-2043-405e-8b19-5a913367249e",
+ "requestParameters": {
+ "attributeType": "CREATE_VOLUME_PERMISSION",
+ "createVolumePermission": {
+ "add": {
+ "items": [
+ {
+ "userId": "098797384747"
+ }
+ ]
+ }
+ },
+ "snapshotId": "snap-041993b54a9b3af6f"
+ },
+ "responseElements": {
+ "_return": true,
+ "requestId": "aeddc4a7-2043-405e-8b19-5a913367249e"
+ },
+ "sourceIPAddress": "253.76.43.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2.me-central-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_7fcd50f2-f1da-4c82-bb7d-38b82021b080",
+ "userIdentity": {
+ "accessKeyId": "AKIAYLJU0B35TFSNKCS2",
+ "accountId": "756680937392",
+ "arn": "arn:aws:iam::756680937392:user/christophe",
+ "principalId": "AIDA7ETKRIUXU83QKECM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.exfiltration.rds-share-snapshot.json b/docs/detonation-logs/aws.exfiltration.rds-share-snapshot.json
new file mode 100644
index 000000000..e950c550c
--- /dev/null
+++ b/docs/detonation-logs/aws.exfiltration.rds-share-snapshot.json
@@ -0,0 +1,49 @@
+[
+ {
+ "awsRegion": "meiso-eastwest-2r",
+ "eventCategory": "Management",
+ "eventID": "fef2bf02-bbea-4d0f-a91c-e6ccfe3fba46",
+ "eventName": "ModifyDBSnapshotAttribute",
+ "eventSource": "rds.amazonaws.com",
+ "eventTime": "2024-08-01T12:38:06Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "171471557522",
+ "requestID": "3fd13676-52a0-4680-8491-71a8e28ea7f5",
+ "requestParameters": {
+ "attributeName": "restore",
+ "dBSnapshotIdentifier": "exfiltration",
+ "valuesToAdd": [
+ "503161813013"
+ ]
+ },
+ "responseElements": {
+ "dBSnapshotAttributes": [
+ {
+ "attributeName": "restore",
+ "attributeValues": [
+ "503161813013"
+ ]
+ }
+ ],
+ "dBSnapshotIdentifier": "exfiltration"
+ },
+ "sourceIPAddress": "204.10.215.184",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rds.meiso-eastwest-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_5ca5319a-2127-4f13-a878-495bc59244b3",
+ "userIdentity": {
+ "accessKeyId": "AKIAIYTVC64GTXUFCS2X",
+ "accountId": "171471557522",
+ "arn": "arn:aws:iam::171471557522:user/christophe",
+ "principalId": "AIDA3MGXB5NR71XRJU40",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.initial-access.console-login-without-mfa.json b/docs/detonation-logs/aws.initial-access.console-login-without-mfa.json
new file mode 100644
index 000000000..f974a5724
--- /dev/null
+++ b/docs/detonation-logs/aws.initial-access.console-login-without-mfa.json
@@ -0,0 +1,38 @@
+[
+ {
+ "additionalEventData": {
+ "LoginTo": "https://console.aws.amazon.com/console/home",
+ "MFAUsed": "No",
+ "MobileVersion": "No"
+ },
+ "awsRegion": "eu-west-2r",
+ "eventCategory": "Management",
+ "eventID": "865d9377-9c6b-4fd7-8aad-725e95f6a140",
+ "eventName": "ConsoleLogin",
+ "eventSource": "signin.amazonaws.com",
+ "eventTime": "2024-08-02T08:53:24Z",
+ "eventType": "AwsConsoleSignIn",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "562283505220",
+ "requestParameters": null,
+ "responseElements": {
+ "ConsoleLogin": "Success"
+ },
+ "sourceIPAddress": "225.01.00.16",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "signin.aws.amazon.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_fccf7123-0651-41f5-b06c-460da5ee1c94",
+ "userIdentity": {
+ "accountId": "562283505220",
+ "arn": "arn:aws:iam::562283505220:user/stratus-red-team-nmfalu-jfzdtsvchl",
+ "principalId": "AIDA1ERT0661IN5R239V",
+ "type": "IAMUser",
+ "userName": "stratus-red-team-nmfalu-jfzdtsvchl"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.lateral-movement.ec2-instance-connect.json b/docs/detonation-logs/aws.lateral-movement.ec2-instance-connect.json
new file mode 100644
index 000000000..5f0dc8d70
--- /dev/null
+++ b/docs/detonation-logs/aws.lateral-movement.ec2-instance-connect.json
@@ -0,0 +1,116 @@
+[
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "0968cbec-f8df-43f3-94ba-b451aad083ed",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "1f1786bd-e04c-4fd9-af8c-6a5d69376c41",
+ "requestParameters": {
+ "instanceId": "i-fDb357cB7e99ad973",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "1f1786bd-e04c-4fd9-af8c-6a5d69376c41",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "1214f520-2eaf-4438-92ab-304bcf115296",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "b8b0d6ce-b722-4757-9649-c8a9d492a31d",
+ "requestParameters": {
+ "instanceId": "i-6D7Fb8F606130A33d",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "b8b0d6ce-b722-4757-9649-c8a9d492a31d",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "eu-south-1r",
+ "eventCategory": "Management",
+ "eventID": "803d3bd8-44cb-4284-a4a9-cdfde3b00570",
+ "eventName": "SendSSHPublicKey",
+ "eventSource": "ec2-instance-connect.amazonaws.com",
+ "eventTime": "2024-08-01T13:24:47Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "572910899909",
+ "requestID": "98b43826-b4f9-4606-bb34-191e73734cfd",
+ "requestParameters": {
+ "instanceId": "i-9d2abfF1798C34950",
+ "instanceOSUser": "ec2-user",
+ "sSHPublicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtAlK45MAEWZ7MUY2QEmi3M6W+peGL3VCrc0qH54xRu"
+ },
+ "responseElements": {
+ "requestId": "98b43826-b4f9-4606-bb34-191e73734cfd",
+ "success": true
+ },
+ "sourceIPAddress": "246.227.146.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "ec2-instance-connect.eu-south-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_84a22508-bcc6-424d-9973-3f841ebf8875",
+ "userIdentity": {
+ "accessKeyId": "AKIAGM9ZC9KUL0AYEVUM",
+ "accountId": "572910899909",
+ "arn": "arn:aws:iam::572910899909:user/christophe",
+ "principalId": "AIDAHG2QGAX7XGTRYBZ5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.iam-backdoor-role.json b/docs/detonation-logs/aws.persistence.iam-backdoor-role.json
new file mode 100644
index 000000000..20864bad8
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.iam-backdoor-role.json
@@ -0,0 +1,36 @@
+[
+ {
+ "awsRegion": "ca-isob-northsouth-1r",
+ "eventCategory": "Management",
+ "eventID": "62e290e2-ee95-4a7c-a9f8-db4ef462b12d",
+ "eventName": "UpdateAssumeRolePolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:29:57Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "751203476945",
+ "requestID": "295ee6e3-1da9-416f-885d-ad65d876ef82",
+ "requestParameters": {
+ "policyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n },\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}",
+ "roleName": "stratus-red-team-backdoor-r-role"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "225.178.039.250",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_180e078f-4ad3-40c5-9ec3-efff37e17b25",
+ "userIdentity": {
+ "accessKeyId": "AKIAMUV7B57OZM0RV05D",
+ "accountId": "751203476945",
+ "arn": "arn:aws:iam::751203476945:user/christophe",
+ "principalId": "AIDA7SLGLLJ9LWK18E4Y",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.iam-backdoor-user.json b/docs/detonation-logs/aws.persistence.iam-backdoor-user.json
new file mode 100644
index 000000000..6b4e1f671
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.iam-backdoor-user.json
@@ -0,0 +1,42 @@
+[
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "c64c4ded-ef03-4e5c-81eb-153b118d72f2",
+ "eventName": "CreateAccessKey",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-07-30T21:53:13Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "946986569305",
+ "requestID": "1af58177-d743-4c94-ac1d-014721ed9b94",
+ "requestParameters": {
+ "userName": "stratus-red-team-backdoor-u-user"
+ },
+ "responseElements": {
+ "accessKey": {
+ "accessKeyId": "AKIAL80DWDVKKM0UXEER",
+ "createDate": "Jul 30, 2024 9:53:13 PM",
+ "status": "Active",
+ "userName": "stratus-red-team-backdoor-u-user"
+ }
+ },
+ "sourceIPAddress": "211.9.016.253",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_f3f19dcd-8552-47ca-a01e-0e1f5578d15e",
+ "userIdentity": {
+ "accessKeyId": "AKIA30BEZSJBVKOFKZW0",
+ "accountId": "946986569305",
+ "arn": "arn:aws:iam::946986569305:user/christophe",
+ "principalId": "AIDAKYRO1QIPZ5M62HCS",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.iam-create-admin-user.json b/docs/detonation-logs/aws.persistence.iam-create-admin-user.json
new file mode 100644
index 000000000..737ce35c9
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.iam-create-admin-user.json
@@ -0,0 +1,129 @@
+[
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "083dc4ad-e264-46bc-a407-d0dd31b58bdc",
+ "eventName": "AttachUserPolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "710f2703-6e8a-46d5-9924-b12a3a681755",
+ "requestParameters": {
+ "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess",
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "94faedcc-0fa4-46e6-9322-022e8e934f04",
+ "eventName": "CreateAccessKey",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "0ee5fc85-66bb-4602-a69e-9a5a2a3add30",
+ "requestParameters": {
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": {
+ "accessKey": {
+ "accessKeyId": "AKIAXAFZN8JEPF6L682H",
+ "createDate": "Aug 1, 2024 1:33:28 PM",
+ "status": "Active",
+ "userName": "malicious-iam-user"
+ }
+ },
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-isob-central-3r",
+ "eventCategory": "Management",
+ "eventID": "3346344c-5a3e-429e-8405-420f98f75d6e",
+ "eventName": "CreateUser",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:33:28Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "229654561268",
+ "requestID": "64ef9c47-6b64-4c0e-8c32-eb9ffaf8a658",
+ "requestParameters": {
+ "tags": [
+ {
+ "key": "StratusRedTeam",
+ "value": "true"
+ }
+ ],
+ "userName": "malicious-iam-user"
+ },
+ "responseElements": {
+ "user": {
+ "arn": "arn:aws:iam::229654561268:user/malicious-iam-user",
+ "createDate": "Aug 1, 2024 1:33:28 PM",
+ "path": "/",
+ "tags": [
+ {
+ "key": "StratusRedTeam",
+ "value": "true"
+ }
+ ],
+ "userId": "AIDAL1XMLVWIUOK8KAF0",
+ "userName": "malicious-iam-user"
+ }
+ },
+ "sourceIPAddress": "075.050.255.67",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_6bf00313-712c-4fd2-9bdd-88f48a4b1282",
+ "userIdentity": {
+ "accessKeyId": "AKIAOZUDECYXYM4ONAN4",
+ "accountId": "229654561268",
+ "arn": "arn:aws:iam::229654561268:user/christophe",
+ "principalId": "AIDAZ49AHUAJ9OEK73O5",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.iam-create-backdoor-role.json b/docs/detonation-logs/aws.persistence.iam-create-backdoor-role.json
new file mode 100644
index 000000000..c06f23aec
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.iam-create-backdoor-role.json
@@ -0,0 +1,84 @@
+[
+ {
+ "awsRegion": "sagov-west-2r",
+ "eventCategory": "Management",
+ "eventID": "39480357-0a1d-4531-a3f2-71be4c041c25",
+ "eventName": "AttachRolePolicy",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:37:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "609418236337",
+ "requestID": "09b3fc1c-c0c0-4e86-9bad-e0928a089e0d",
+ "requestParameters": {
+ "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "209.209.254.254",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2808a95-acc5-4508-b083-d31d6f4315d9",
+ "userIdentity": {
+ "accessKeyId": "AKIA0W5KI69TY8X86BGT",
+ "accountId": "609418236337",
+ "arn": "arn:aws:iam::609418236337:user/christophe",
+ "principalId": "AIDAK4TRC24VBN0JX8JX",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "sagov-west-2r",
+ "eventCategory": "Management",
+ "eventID": "d2905ac3-9898-433f-b10d-9302abe4e208",
+ "eventName": "CreateRole",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:37:41Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "609418236337",
+ "requestID": "105d4d57-6f6d-43ce-b6a4-5b67c68b4ab5",
+ "requestParameters": {
+ "assumeRolePolicyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}",
+ "permissionsBoundary": "arn:aws:iam::aws:policy/AWSDenyAll",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ },
+ "responseElements": {
+ "role": {
+ "arn": "arn:aws:iam::609418236337:role/stratus-red-team-malicious-iam-role",
+ "assumeRolePolicyDocument": "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22Principal%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws%3Aiam%3A%3A193672423079%3Aroot%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D",
+ "createDate": "Aug 1, 2024 1:37:41 PM",
+ "path": "/",
+ "permissionsBoundary": {
+ "permissionsBoundaryArn": "arn:aws:iam::aws:policy/AWSDenyAll",
+ "permissionsBoundaryType": "Policy"
+ },
+ "roleId": "AROA53G8Z8NGXMJ597G3E",
+ "roleName": "stratus-red-team-malicious-iam-role"
+ }
+ },
+ "sourceIPAddress": "209.209.254.254",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2808a95-acc5-4508-b083-d31d6f4315d9",
+ "userIdentity": {
+ "accessKeyId": "AKIA0W5KI69TY8X86BGT",
+ "accountId": "609418236337",
+ "arn": "arn:aws:iam::609418236337:user/christophe",
+ "principalId": "AIDAK4TRC24VBN0JX8JX",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.iam-create-user-login-profile.json b/docs/detonation-logs/aws.persistence.iam-create-user-login-profile.json
new file mode 100644
index 000000000..afe4be5f5
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.iam-create-user-login-profile.json
@@ -0,0 +1,108 @@
+[
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "e544d47e-6d75-45cf-a8a9-7e90d5f7d38d",
+ "eventName": "GetCallerIdentity",
+ "eventSource": "sts.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": true,
+ "recipientAccountId": "070411556318",
+ "requestID": "8a4782c5-408f-4ff4-be0b-6e10202f385f",
+ "requestParameters": null,
+ "responseElements": null,
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "sts.ap-central-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-central-2r",
+ "errorCode": "EntityTemporarilyUnmodifiableException",
+ "errorMessage": "Login Profile for User stratus-red-team-login-profile-user cannot be modified while login profile is being created.",
+ "eventCategory": "Management",
+ "eventID": "64fb98c9-cb40-4f9a-b800-6c15e82e9be6",
+ "eventName": "DeleteLoginProfile",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:22Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "070411556318",
+ "requestID": "a0953f02-9f5f-408a-8188-427026ef914b",
+ "requestParameters": {
+ "userName": "stratus-red-team-login-profile-user"
+ },
+ "responseElements": null,
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "ap-central-2r",
+ "eventCategory": "Management",
+ "eventID": "d3906a7d-604b-407f-acb6-fc425742821e",
+ "eventName": "CreateLoginProfile",
+ "eventSource": "iam.amazonaws.com",
+ "eventTime": "2024-08-01T13:42:21Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.09",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "070411556318",
+ "requestID": "cb603f7a-02cc-4123-9855-658655364408",
+ "requestParameters": {
+ "passwordResetRequired": false,
+ "userName": "stratus-red-team-login-profile-user"
+ },
+ "responseElements": {
+ "loginProfile": {
+ "createDate": "Aug 1, 2024 1:42:21 PM",
+ "passwordResetRequired": false,
+ "userName": "stratus-red-team-login-profile-user"
+ }
+ },
+ "sourceIPAddress": "253.234.5.234",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "iam.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_99dfa7e5-00d3-40b7-8cfd-b2573ada0eac",
+ "userIdentity": {
+ "accessKeyId": "AKIAE18PGYHCY2CYMTFK",
+ "accountId": "070411556318",
+ "arn": "arn:aws:iam::070411556318:user/christophe",
+ "principalId": "AIDAWVCXQ27A1H7FID62",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.lambda-backdoor-function.json b/docs/detonation-logs/aws.persistence.lambda-backdoor-function.json
new file mode 100644
index 000000000..1696aeafa
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.lambda-backdoor-function.json
@@ -0,0 +1,40 @@
+[
+ {
+ "awsRegion": "ca-centralnorth-1r",
+ "eventCategory": "Management",
+ "eventID": "b67a9bba-d9da-4980-bf74-baed881b117d",
+ "eventName": "AddPermission20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-08-01T13:47:16Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "880896431042",
+ "requestID": "c84f1436-60be-4ad8-a6f7-f3c44d47df3a",
+ "requestParameters": {
+ "action": "lambda:InvokeFunction",
+ "functionName": "stratus-red-team-backdoor-f-func",
+ "principal": "*",
+ "statementId": "backdoor"
+ },
+ "responseElements": {
+ "statement": "{\"Sid\":\"backdoor\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:ca-centralnorth-1r:880896431042:function:stratus-red-team-backdoor-f-func\"}"
+ },
+ "sourceIPAddress": "151.236.251.251",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.ca-centralnorth-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_a5b48423-fe4e-446d-a058-0f2b624cdfb1",
+ "userIdentity": {
+ "accessKeyId": "AKIAYALJGCQ7J893JO5I",
+ "accountId": "880896431042",
+ "arn": "arn:aws:iam::880896431042:user/christophe",
+ "principalId": "AIDAC4Q0BJF2SN7BSHFO",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.lambda-layer-extension.json b/docs/detonation-logs/aws.persistence.lambda-layer-extension.json
new file mode 100644
index 000000000..9719489bd
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.lambda-layer-extension.json
@@ -0,0 +1,86 @@
+[
+ {
+ "awsRegion": "eugov-eastcentral-1r",
+ "eventCategory": "Management",
+ "eventID": "da929d96-8e20-475c-a810-973addd64769",
+ "eventName": "UpdateFunctionConfiguration20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-07-30T21:57:20Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "712967571683",
+ "requestID": "e8dffadf-9660-4d37-805f-b6dd8ac15959",
+ "requestParameters": {
+ "environment": {},
+ "functionName": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:function:stratus-red-team-lambda-layer-simpleLambda",
+ "layers": [
+ "arn:aws:lambda:eugov-eastcentral-1r:712967571683:layer:stratus-red-team-lambda-layer-my-lambda-extension:1"
+ ]
+ },
+ "responseElements": {
+ "architectures": [
+ "x86_64"
+ ],
+ "codeSha256": "yoqgXJ3G1ROsFXLUfkxIKHbCiKf2eKCiIkxoktNUoNE=",
+ "codeSize": 258,
+ "description": "",
+ "environment": {},
+ "ephemeralStorage": {
+ "size": 512
+ },
+ "functionArn": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:function:stratus-red-team-lambda-layer-simpleLambda",
+ "functionName": "stratus-red-team-lambda-layer-simpleLambda",
+ "handler": "stratus-red-team-lambda-layer-simpleLambda.handler",
+ "lastModified": "2024-07-30T21:57:15.000+0000",
+ "lastUpdateStatus": "InProgress",
+ "lastUpdateStatusReason": "The function is being created.",
+ "lastUpdateStatusReasonCode": "Creating",
+ "layers": [
+ {
+ "arn": "arn:aws:lambda:eugov-eastcentral-1r:712967571683:layer:stratus-red-team-lambda-layer-my-lambda-extension:1",
+ "codeSize": 2120,
+ "uncompressedCodeSize": 2672
+ }
+ ],
+ "loggingConfig": {
+ "logFormat": "Text",
+ "logGroup": "/aws/lambda/stratus-red-team-lambda-layer-simpleLambda"
+ },
+ "memorySize": 128,
+ "packageType": "Zip",
+ "revisionId": "7e710d48-c7d2-419c-b0bb-2f014bb742d8",
+ "role": "arn:aws:iam::712967571683:role/stratus-red-team-lambda-layer-lambda-role",
+ "runtime": "python3.10",
+ "runtimeVersionConfig": {
+ "runtimeVersionArn": "arn:aws:lambda:eugov-eastcentral-1r::runtime:fa339b789ded6e524b73b2ce2d1529eb06258c05ffa71ea5c8283c8dc106fbe3"
+ },
+ "snapStart": {
+ "applyOn": "None",
+ "optimizationStatus": "Off"
+ },
+ "state": "Active",
+ "timeout": 20,
+ "tracingConfig": {
+ "mode": "PassThrough"
+ },
+ "version": "$LATEST"
+ },
+ "sourceIPAddress": "211.219.255.238",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.eugov-eastcentral-1r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_cc572e3c-6c82-4c71-82f7-bf38ee5dbb4d",
+ "userIdentity": {
+ "accessKeyId": "AKIAUBN5AMJF3I0EG996",
+ "accountId": "712967571683",
+ "arn": "arn:aws:iam::712967571683:user/christophe",
+ "principalId": "AIDACL6MX7XSJHAMTCHM",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.lambda-overwrite-code.json b/docs/detonation-logs/aws.persistence.lambda-overwrite-code.json
new file mode 100644
index 000000000..0c1e7e597
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.lambda-overwrite-code.json
@@ -0,0 +1,87 @@
+[
+ {
+ "awsRegion": "ap-westeast-2r",
+ "eventCategory": "Management",
+ "eventID": "4672b74f-2466-4784-b3fb-5b4db904a995",
+ "eventName": "UpdateFunctionCode20150331v2",
+ "eventSource": "lambda.amazonaws.com",
+ "eventTime": "2024-08-01T13:52:02Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.08",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "266106314375",
+ "requestID": "4ae683f5-13be-4305-8267-0d2fc47dd663",
+ "requestParameters": {
+ "dryRun": false,
+ "fullyQualifiedArn": {
+ "arnPrefix": {
+ "account": "266106314375",
+ "partition": "aws",
+ "region": "ap-westeast-2r"
+ },
+ "functionQualifier": {},
+ "relativeId": {
+ "functionName": "stratus-red-team-olc-func-vayhjqkdav"
+ }
+ },
+ "functionName": "arn:aws:lambda:ap-westeast-2r:266106314375:function:stratus-red-team-olc-func-vayhjqkdav",
+ "publish": true
+ },
+ "responseElements": {
+ "architectures": [
+ "x86_64"
+ ],
+ "codeSha256": "Pt1c8vVaBygmNtAeSyjlpdy7r8nHRqJAAL++HEGlQkc=",
+ "codeSize": 211,
+ "description": "",
+ "environment": {},
+ "ephemeralStorage": {
+ "size": 512
+ },
+ "functionArn": "arn:aws:lambda:ap-westeast-2r:266106314375:function:stratus-red-team-olc-func-vayhjqkdav:1",
+ "functionName": "stratus-red-team-olc-func-vayhjqkdav",
+ "handler": "lambda.lambda_handler",
+ "lastModified": "2024-08-01T13:52:02.000+0000",
+ "loggingConfig": {
+ "logFormat": "Text",
+ "logGroup": "/aws/lambda/stratus-red-team-olc-func-vayhjqkdav"
+ },
+ "memorySize": 128,
+ "packageType": "Zip",
+ "revisionId": "80497f44-ab61-49ef-b235-4166136e3d10",
+ "role": "arn:aws:iam::266106314375:role/stratus-red-team-olc-lambda-vayhjqkdav",
+ "runtime": "python3.9",
+ "runtimeVersionConfig": {
+ "runtimeVersionArn": "arn:aws:lambda:ap-westeast-2r::runtime:be9e7121d3264b1e86158b38dbbb656c23dff979eb481793ee37b9e2b79fda22"
+ },
+ "snapStart": {
+ "applyOn": "None",
+ "optimizationStatus": "Off"
+ },
+ "state": "Pending",
+ "stateReason": "The function is being created.",
+ "stateReasonCode": "Creating",
+ "timeout": 3,
+ "tracingConfig": {
+ "mode": "PassThrough"
+ },
+ "version": "1"
+ },
+ "sourceIPAddress": "253.8.50.132",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "lambda.ap-westeast-2r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_856369f3-2721-42df-974b-3243863d6f55",
+ "userIdentity": {
+ "accessKeyId": "AKIAKHYV6FI4F4CJQMDV",
+ "accountId": "266106314375",
+ "arn": "arn:aws:iam::266106314375:user/christophe",
+ "principalId": "AIDAHSKGTD3UIOD3DXXY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/docs/detonation-logs/aws.persistence.rolesanywhere-create-trust-anchor.json b/docs/detonation-logs/aws.persistence.rolesanywhere-create-trust-anchor.json
new file mode 100644
index 000000000..44b301fa4
--- /dev/null
+++ b/docs/detonation-logs/aws.persistence.rolesanywhere-create-trust-anchor.json
@@ -0,0 +1,170 @@
+[
+ {
+ "awsRegion": "cn-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "66e5f252-e092-4ad0-9a33-a03595e05aca",
+ "eventName": "CreateTrustAnchor",
+ "eventSource": "rolesanywhere.amazonaws.com",
+ "eventTime": "2024-08-01T13:56:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "791182566784",
+ "requestID": "4f8955b7-2a80-43c8-8f56-055883a07632",
+ "requestParameters": {
+ "enabled": true,
+ "name": "malicious-rolesanywhere-trust-anchor",
+ "source": {
+ "sourceData": {
+ "x509CertificateData": "-----BEGIN CERTIFICATE-----\nMIIE3zCCAsegAwIBAgIJAOZLUn/n7YvYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\nBAYTAkVTMB4XDTIyMDcxMDIxMjgxOVoXDTMyMDcwNzIxMjgxOVowDTELMAkGA1UE\nBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDb0ga7LzegYNXV\noBTY7ByNCtgqAEoZVQAEQAxpWzK4wL4V+TKRRGiP9KQSbMsU35dBuxzg2Ih62dwr\nh6S7vYX4eU8YpGcutrWekzAl+G4GwfbHcwJYt9ALrneFUUWEedYA6BTVG0b+cwIL\nOkVJSlB/4bAVFocwafdnFi3CLsIhXF/Yn90mnug+qsXSWPMZmTXaykiO9+AWV/pO\n/JNS2WLPp4EKUT3CGm12TxBMHG0sWG0xopuj4KXTsyJFELDevSo92ldqyCIJFgG8\nwBmbETxx9TlTPEU6hVkG4MLE2ekkEQK8WVLpZvTGFRrauawMhAzfFV9ZcgIsURy7\nv2/FlYL7OedesimPfGD8M1dkm4yK2dVvUf/HyEL1IB1+3NtAOoifZ5jBBJKaybF0\n/W85asZWVg+yKokFhmQRzu4BFnPhsoTwau+WuySYokbWIEzdW8FljWpwiPlvnqy+\nVJVKdZuzWx12yLzK5srQ4Qcb/tQqkooVASM0PH5ts3PYlf5hRgxqKgCR5lXODxoA\n0aylk6+wC2oBLhvufmwObsOMcxMbPv+EQvzYChL1MRLvEPAmATiE64ZLn8IOu9MG\n9GRC6D/NkLy9LdsPWfzx+W1itrWR3ft/uD/HXILAVc54HejbZGsPsLe7qITDNc7n\nD5zM+orgu67zgRaBOm1kPZbr/vHUFQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYw\nHQYDVR0OBBYEFJNT8WprixUiturSY9GAHXmAcP/RMA8GA1UdEwEB/wQFMAMBAf8w\nDQYJKoZIhvcNAQELBQADggIBAJ1clg4GzHuMxTmpz+riL2klUZEMpJPvy682c0iH\nNlG0f30cNHdSlnhCnx78h3n1xotSM8zZf6+LepCZWCzho5p3Fep7sDumQ+chgdIp\nNApgcGX7tpx+TVjrrwkpxioMSfVFHJ7RMSewumnOXw4NsUQmGJdku8FUR7BWRRiY\nfk0MoQ9nuwjt+RcSz/IKdFTzjI70nPikjSSd0L/ovWk5aXgLcnZpgzv6r4HbafJU\n7dEnP+paZugEUts+SNXr3vkSuiLod7iiOcmQFvtRDFUAn4QonoN/6lDDOGLYsy0J\nrv9GI+Y5VYt6JRGNJq/yCBV1KhhjaWll0kl/UNxIr+hBQ5Vul9SiR3jbbNlRh1PE\nMPEAzhcqG8i3oZwwl62pjqPja+EvSuoPHf0tJ1rmjWmBt3irShSnuFN69+E4h20d\n2cHVyF4GqF2VdNPYa0lh0cSIsNCJJ5+eyXRHKPcUCKI7pDYdbKZt+8ILlZC5PsSK\nC0XsWIzqSG69Uqkm8c0P07NPmcAnGC3O92uhOrb4ytC2KyHVrNa+Bs6VYlYr3ayq\n5AVfJZGuSxldlyM0N/peEKqz9vok4FoBxxSZGDi9ZDIMjLTpypHOMXi0d8YcClFO\nlmRijJoUF95T+svxE60fdndPlleDKC8OnxvcIbS4OSK0ZqK1SFgTNaIgOniUSY6Q\nV0KM\n-----END CERTIFICATE-----"
+ },
+ "sourceType": "CERTIFICATE_BUNDLE"
+ },
+ "tags": [
+ {
+ "key": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ }
+ ]
+ },
+ "responseElements": {
+ "trustAnchor": {
+ "createdAt": "2024-08-01T13:56:39.482702201Z",
+ "enabled": true,
+ "name": "malicious-rolesanywhere-trust-anchor",
+ "notificationSettings": [
+ {
+ "channel": "ALL",
+ "configuredBy": "rolesanywhere.amazonaws.com",
+ "enabled": true,
+ "event": "CA_CERTIFICATE_EXPIRY",
+ "threshold": 45
+ },
+ {
+ "channel": "ALL",
+ "configuredBy": "rolesanywhere.amazonaws.com",
+ "enabled": true,
+ "event": "END_ENTITY_CERTIFICATE_EXPIRY",
+ "threshold": 45
+ }
+ ],
+ "source": {
+ "sourceData": {
+ "x509CertificateData": "-----BEGIN CERTIFICATE-----\nMIIE3zCCAsegAwIBAgIJAOZLUn/n7YvYMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\nBAYTAkVTMB4XDTIyMDcxMDIxMjgxOVoXDTMyMDcwNzIxMjgxOVowDTELMAkGA1UE\nBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDb0ga7LzegYNXV\noBTY7ByNCtgqAEoZVQAEQAxpWzK4wL4V+TKRRGiP9KQSbMsU35dBuxzg2Ih62dwr\nh6S7vYX4eU8YpGcutrWekzAl+G4GwfbHcwJYt9ALrneFUUWEedYA6BTVG0b+cwIL\nOkVJSlB/4bAVFocwafdnFi3CLsIhXF/Yn90mnug+qsXSWPMZmTXaykiO9+AWV/pO\n/JNS2WLPp4EKUT3CGm12TxBMHG0sWG0xopuj4KXTsyJFELDevSo92ldqyCIJFgG8\nwBmbETxx9TlTPEU6hVkG4MLE2ekkEQK8WVLpZvTGFRrauawMhAzfFV9ZcgIsURy7\nv2/FlYL7OedesimPfGD8M1dkm4yK2dVvUf/HyEL1IB1+3NtAOoifZ5jBBJKaybF0\n/W85asZWVg+yKokFhmQRzu4BFnPhsoTwau+WuySYokbWIEzdW8FljWpwiPlvnqy+\nVJVKdZuzWx12yLzK5srQ4Qcb/tQqkooVASM0PH5ts3PYlf5hRgxqKgCR5lXODxoA\n0aylk6+wC2oBLhvufmwObsOMcxMbPv+EQvzYChL1MRLvEPAmATiE64ZLn8IOu9MG\n9GRC6D/NkLy9LdsPWfzx+W1itrWR3ft/uD/HXILAVc54HejbZGsPsLe7qITDNc7n\nD5zM+orgu67zgRaBOm1kPZbr/vHUFQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYw\nHQYDVR0OBBYEFJNT8WprixUiturSY9GAHXmAcP/RMA8GA1UdEwEB/wQFMAMBAf8w\nDQYJKoZIhvcNAQELBQADggIBAJ1clg4GzHuMxTmpz+riL2klUZEMpJPvy682c0iH\nNlG0f30cNHdSlnhCnx78h3n1xotSM8zZf6+LepCZWCzho5p3Fep7sDumQ+chgdIp\nNApgcGX7tpx+TVjrrwkpxioMSfVFHJ7RMSewumnOXw4NsUQmGJdku8FUR7BWRRiY\nfk0MoQ9nuwjt+RcSz/IKdFTzjI70nPikjSSd0L/ovWk5aXgLcnZpgzv6r4HbafJU\n7dEnP+paZugEUts+SNXr3vkSuiLod7iiOcmQFvtRDFUAn4QonoN/6lDDOGLYsy0J\nrv9GI+Y5VYt6JRGNJq/yCBV1KhhjaWll0kl/UNxIr+hBQ5Vul9SiR3jbbNlRh1PE\nMPEAzhcqG8i3oZwwl62pjqPja+EvSuoPHf0tJ1rmjWmBt3irShSnuFN69+E4h20d\n2cHVyF4GqF2VdNPYa0lh0cSIsNCJJ5+eyXRHKPcUCKI7pDYdbKZt+8ILlZC5PsSK\nC0XsWIzqSG69Uqkm8c0P07NPmcAnGC3O92uhOrb4ytC2KyHVrNa+Bs6VYlYr3ayq\n5AVfJZGuSxldlyM0N/peEKqz9vok4FoBxxSZGDi9ZDIMjLTpypHOMXi0d8YcClFO\nlmRijJoUF95T+svxE60fdndPlleDKC8OnxvcIbS4OSK0ZqK1SFgTNaIgOniUSY6Q\nV0KM\n-----END CERTIFICATE-----\n"
+ },
+ "sourceType": "CERTIFICATE_BUNDLE"
+ },
+ "trustAnchorArn": "arn:aws:rolesanywhere:cn-northsouth-3r:791182566784:trust-anchor/4d07f6a0-1c50-44d3-951b-b68b783daa0a",
+ "trustAnchorId": "4d07f6a0-1c50-44d3-951b-b68b783daa0a",
+ "updatedAt": "2024-08-01T13:56:39.482702201Z"
+ }
+ },
+ "sourceIPAddress": "221.252.237.0",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rolesanywhere.cn-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2e652c1-ed4b-4402-b3b0-136ef4c9ace7",
+ "userIdentity": {
+ "accessKeyId": "AKIA3SBEM4QSKES6Z5F9",
+ "accountId": "791182566784",
+ "arn": "arn:aws:iam::791182566784:user/christophe",
+ "principalId": "AIDADMWJD73A3SNMRPEY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ },
+ {
+ "awsRegion": "cn-northsouth-3r",
+ "eventCategory": "Management",
+ "eventID": "aebbe7b5-7cfb-4b00-a30c-48078fedffd8",
+ "eventName": "CreateProfile",
+ "eventSource": "rolesanywhere.amazonaws.com",
+ "eventTime": "2024-08-01T13:56:39Z",
+ "eventType": "AwsApiCall",
+ "eventVersion": "1.10",
+ "managementEvent": true,
+ "readOnly": false,
+ "recipientAccountId": "791182566784",
+ "requestID": "4f6be2aa-b5b3-4f95-bad6-5751f3904fbf",
+ "requestParameters": {
+ "durationSeconds": 3600,
+ "enabled": true,
+ "name": "malicious-rolesanywhere-profile",
+ "roleArns": [
+ "arn:aws:iam::791182566784:role/stratus-red-team-trust-anchor-role"
+ ],
+ "tags": [
+ {
+ "key": "HIDDEN_DUE_TO_SECURITY_REASONS",
+ "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
+ }
+ ]
+ },
+ "responseElements": {
+ "profile": {
+ "acceptRoleSessionName": false,
+ "attributeMappings": [
+ {
+ "certificateField": "x509Issuer",
+ "mappingRules": [
+ {
+ "specifier": "*"
+ }
+ ]
+ },
+ {
+ "certificateField": "x509SAN",
+ "mappingRules": [
+ {
+ "specifier": "DNS"
+ },
+ {
+ "specifier": "URI"
+ },
+ {
+ "specifier": "Name/*"
+ }
+ ]
+ },
+ {
+ "certificateField": "x509Subject",
+ "mappingRules": [
+ {
+ "specifier": "*"
+ }
+ ]
+ }
+ ],
+ "createdAt": "2024-08-01T13:56:39.832628281Z",
+ "createdBy": "arn:aws:iam::791182566784:user/christophe",
+ "durationSeconds": 3600,
+ "enabled": true,
+ "name": "malicious-rolesanywhere-profile",
+ "profileArn": "arn:aws:rolesanywhere:cn-northsouth-3r:791182566784:profile/910042eb-8463-427d-8095-6fd60ac303d9",
+ "profileId": "910042eb-8463-427d-8095-6fd60ac303d9",
+ "roleArns": [
+ "arn:aws:iam::791182566784:role/stratus-red-team-trust-anchor-role"
+ ],
+ "updatedAt": "2024-08-01T13:56:39.832628281Z"
+ }
+ },
+ "sourceIPAddress": "221.252.237.0",
+ "tlsDetails": {
+ "cipherSuite": "TLS_AES_128_GCM_SHA256",
+ "clientProvidedHostHeader": "rolesanywhere.cn-northsouth-3r.amazonaws.com",
+ "tlsVersion": "TLSv1.3"
+ },
+ "userAgent": "stratus-red-team_e2e652c1-ed4b-4402-b3b0-136ef4c9ace7",
+ "userIdentity": {
+ "accessKeyId": "AKIA3SBEM4QSKES6Z5F9",
+ "accountId": "791182566784",
+ "arn": "arn:aws:iam::791182566784:user/christophe",
+ "principalId": "AIDADMWJD73A3SNMRPEY",
+ "type": "IAMUser",
+ "userName": "christophe"
+ }
+ }
+]
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index a311dd070..52c25a478 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -26,6 +26,7 @@ theme:
- navigation.top
- navigation.tabs
- navigation.tabs.sticky
+ - content.code.copy
icon:
admonition:
note: octicons/tag-16
diff --git a/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go b/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
index 206283214..09d96826c 100644
--- a/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
+++ b/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.go
@@ -97,6 +97,7 @@ func detonate(params map[string]string, providers stratus.CloudProviders) error
metadataResponse["AccessKeyId"],
metadataResponse["SecretAccessKey"],
metadataResponse["Token"],
+ &providers.AWS().UniqueCorrelationId,
)
newStsClient := sts.NewFromConfig(newAwsConnection)
response, _ := newStsClient.GetCallerIdentity(context.Background(), &sts.GetCallerIdentityInput{})
diff --git a/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go b/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
index 997eb7a1d..e26bf2959 100644
--- a/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
+++ b/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.go
@@ -8,6 +8,7 @@ import (
"github.com/aws/aws-sdk-go-v2/service/ssm"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"log"
"strings"
"time"
@@ -63,9 +64,11 @@ arn:aws:sts::012345678901:assumed-role/my-instance-role/i-0adc17a5acb70d9ae
}
func detonate(params map[string]string, providers stratus.CloudProviders) error {
- ssmClient := ssm.NewFromConfig(providers.AWS().GetConnection())
+ awsProvider := providers.AWS()
+ ssmClient := ssm.NewFromConfig(awsProvider.GetConnection())
instanceId := params["instance_id"]
commands := []string{
+ "export AWS_EXECUTION_ENV=" + useragent.GetStratusUserAgentForUUID(awsProvider.UniqueCorrelationId), // propagate detonation UID
"aws sts get-caller-identity || true", // Note: we need the || true to ensure the command exits with status 0, even if the instance role doesn't have the permission
"aws s3 ls || true",
"aws iam get-account-summary || true",
diff --git a/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.go b/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.go
index 3538ada96..145d3fda2 100644
--- a/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.go
+++ b/v2/internal/attacktechniques/aws/initial-access/console-login-without-mfa/main.go
@@ -4,9 +4,9 @@ import (
_ "embed"
"encoding/json"
"errors"
- providersInternal "github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"io"
"log"
"net/http"
@@ -136,7 +136,7 @@ func buildHttpRequest(params map[string]string, providers stratus.CloudProviders
// http.DefaultTransport = &http.Transport{Proxy: http.ProxyURL(proxyUrl), TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
req.Header.Add("Referer", "https://signin.aws.amazon.com")
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("User-Agent", providersInternal.GetStratusUserAgentForUUID(providers.AWS().UniqueCorrelationId))
+ req.Header.Set("User-Agent", useragent.GetStratusUserAgentForUUID(providers.AWS().UniqueCorrelationId))
return req
}
diff --git a/v2/internal/attacktechniques/k8s/privilege-escalation/nodes-proxy/main.go b/v2/internal/attacktechniques/k8s/privilege-escalation/nodes-proxy/main.go
index 521acb138..492508ab8 100644
--- a/v2/internal/attacktechniques/k8s/privilege-escalation/nodes-proxy/main.go
+++ b/v2/internal/attacktechniques/k8s/privilege-escalation/nodes-proxy/main.go
@@ -9,6 +9,7 @@ import (
"github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"io"
authenticationv1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -157,7 +158,7 @@ func proxyKubeletRequest(k8s *providers.K8sProvider, kubeletApiPath string, toke
endpointUrl := fmt.Sprintf("%sapi/v1/nodes/%s/proxy%s", apiServerUrl, node, kubeletApiPath)
req, _ := http.NewRequest("GET", endpointUrl, nil)
req.Header.Set("Authorization", "Bearer "+token)
- req.Header.Set("User-Agent", providers.GetStratusUserAgentForUUID(k8s.UniqueCorrelationId))
+ req.Header.Set("User-Agent", useragent.GetStratusUserAgentForUUID(k8s.UniqueCorrelationId))
log.Println("Performing request to " + endpointUrl)
response, err := httpClient.Do(req)
diff --git a/v2/internal/providers/aws.go b/v2/internal/providers/aws.go
index 31e20162e..da3d0ecf6 100644
--- a/v2/internal/providers/aws.go
+++ b/v2/internal/providers/aws.go
@@ -2,12 +2,10 @@ package providers
import (
"context"
- "fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/ec2"
- "github.com/aws/smithy-go/middleware"
- smithyhttp "github.com/aws/smithy-go/transport/http"
+ "github.com/datadog/stratus-red-team/v2/internal/utils"
"github.com/google/uuid"
"log"
"os"
@@ -19,7 +17,7 @@ type AWSProvider struct {
}
func NewAWSProvider(uuid uuid.UUID) *AWSProvider {
- cfg, err := config.LoadDefaultConfig(context.Background(), customUserAgentApiOptions(uuid))
+ cfg, err := config.LoadDefaultConfig(context.Background(), utils.CustomUserAgentApiOptions(uuid))
if err != nil {
log.Fatalf("unable to load AWS configuration, %v", err)
}
@@ -47,29 +45,3 @@ func (m *AWSProvider) IsAuthenticatedAgainstAWS() bool {
return true
}
-
-// Functions below are related to customization of the user-agent header
-// Code mostly taken from https://github.com/aws/aws-sdk-go-v2/issues/1432
-
-func customUserAgentApiOptions(uniqueCorrelationId uuid.UUID) config.LoadOptionsFunc {
- return config.WithAPIOptions(func() (v []func(stack *middleware.Stack) error) {
- v = append(v, func(stack *middleware.Stack) error {
- return stack.Build.Add(customUserAgentMiddleware(uniqueCorrelationId), middleware.After)
- })
- return v
- }())
-}
-
-func customUserAgentMiddleware(uniqueId uuid.UUID) middleware.BuildMiddleware {
- return middleware.BuildMiddlewareFunc("CustomerUserAgent", func(
- ctx context.Context, input middleware.BuildInput, next middleware.BuildHandler,
- ) (out middleware.BuildOutput, metadata middleware.Metadata, err error) {
- request, ok := input.Request.(*smithyhttp.Request)
- if !ok {
- return out, metadata, fmt.Errorf("unknown transport type %T", input.Request)
- }
- request.Header.Set("User-Agent", GetStratusUserAgentForUUID(uniqueId))
-
- return next.HandleBuild(ctx, input)
- })
-}
diff --git a/v2/internal/providers/gcp.go b/v2/internal/providers/gcp.go
index 76c12f0bc..78b8072b1 100644
--- a/v2/internal/providers/gcp.go
+++ b/v2/internal/providers/gcp.go
@@ -2,6 +2,7 @@ package providers
import (
"context"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"os"
"github.com/google/uuid"
@@ -40,7 +41,7 @@ func NewGCPProvider(uuid uuid.UUID) *GCPProvider {
}
func (m *GCPProvider) Options() option.ClientOption {
- return option.WithUserAgent(GetStratusUserAgentForUUID(m.UniqueCorrelationId))
+ return option.WithUserAgent(useragent.GetStratusUserAgentForUUID(m.UniqueCorrelationId))
}
func (m *GCPProvider) IsAuthenticated() bool {
diff --git a/v2/internal/providers/kubernetes.go b/v2/internal/providers/kubernetes.go
index a47da4b08..cf279ad41 100644
--- a/v2/internal/providers/kubernetes.go
+++ b/v2/internal/providers/kubernetes.go
@@ -3,6 +3,7 @@ package providers
import (
"context"
"github.com/datadog/stratus-red-team/v2/internal/utils"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"github.com/google/uuid"
authv1 "k8s.io/api/authorization/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -39,7 +40,7 @@ func NewK8sProvider(uuid uuid.UUID) *K8sProvider {
log.Fatalf("unable to build kube config: %v", err)
}
restConfig := config
- restConfig.UserAgent = GetStratusUserAgentForUUID(uuid)
+ restConfig.UserAgent = useragent.GetStratusUserAgentForUUID(uuid)
k8sClient, err := kubernetes.NewForConfig(restConfig)
if err != nil {
log.Fatalf("unable to create kube client: %v", err)
diff --git a/v2/internal/utils/aws_utils.go b/v2/internal/utils/aws_utils.go
index ece1d2779..290b3f8dc 100644
--- a/v2/internal/utils/aws_utils.go
+++ b/v2/internal/utils/aws_utils.go
@@ -12,9 +12,13 @@ import (
s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/aws/aws-sdk-go-v2/service/ssm"
ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
+ "github.com/aws/smithy-go/middleware"
+ smithyhttp "github.com/aws/smithy-go/transport/http"
+ "github.com/cenkalti/backoff/v4"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
+ "github.com/google/uuid"
"github.com/aws/aws-sdk-go-v2/service/sts"
- backoff "github.com/cenkalti/backoff/v4"
"io"
"log"
"strconv"
@@ -31,18 +35,47 @@ func GetCurrentAccountId(cfg aws.Config) (string, error) {
return *result.Account, nil
}
-func AwsConfigFromCredentials(accessKeyId string, secretAccessKey string, sessionToken string) aws.Config {
- credentialsProvider := config.WithCredentialsProvider(
- credentials.NewStaticCredentialsProvider(accessKeyId, secretAccessKey, sessionToken),
- )
- cfg, err := config.LoadDefaultConfig(context.Background(), credentialsProvider)
+func AwsConfigFromCredentials(accessKeyId string, secretAccessKey string, sessionToken string, detonationUid *uuid.UUID) aws.Config {
+ options := []func(*config.LoadOptions) error{
+ config.WithCredentialsProvider(
+ credentials.NewStaticCredentialsProvider(accessKeyId, secretAccessKey, sessionToken),
+ ),
+ }
+ if detonationUid != nil {
+ // propagate the detonation UID to the new provider
+ options = append(options, CustomUserAgentApiOptions(*detonationUid))
+ }
+ cfg, err := config.LoadDefaultConfig(context.Background(), options...)
+
if err != nil {
log.Fatalf("unable to load SDK config, %v", err)
}
-
return cfg
}
+func CustomUserAgentApiOptions(uniqueCorrelationId uuid.UUID) config.LoadOptionsFunc {
+ // Code mostly taken from https://github.com/aws/aws-sdk-go-v2/issues/1432
+ customUserAgentMiddleware := func(uniqueId uuid.UUID) middleware.BuildMiddleware {
+ return middleware.BuildMiddlewareFunc("CustomerUserAgent", func(
+ ctx context.Context, input middleware.BuildInput, next middleware.BuildHandler,
+ ) (out middleware.BuildOutput, metadata middleware.Metadata, err error) {
+ request, ok := input.Request.(*smithyhttp.Request)
+ if !ok {
+ return out, metadata, fmt.Errorf("unknown transport type %T", input.Request)
+ }
+ request.Header.Set("User-Agent", useragent.GetStratusUserAgentForUUID(uniqueId))
+
+ return next.HandleBuild(ctx, input)
+ })
+ }
+ return config.WithAPIOptions(func() (v []func(stack *middleware.Stack) error) {
+ v = append(v, func(stack *middleware.Stack) error {
+ return stack.Build.Add(customUserAgentMiddleware(uniqueCorrelationId), middleware.After)
+ })
+ return v
+ }())
+}
+
// WaitForAndAssumeAWSRole waits for an AWS role to be assumable (due to eventual consistency)
// then sets a credentials provider that can be used to assume the role.
func WaitForAndAssumeAWSRole(awsConnection *aws.Config, roleArn string) error {
diff --git a/v2/pkg/stratus/runner/runner.go b/v2/pkg/stratus/runner/runner.go
index 5349acc28..af2325618 100644
--- a/v2/pkg/stratus/runner/runner.go
+++ b/v2/pkg/stratus/runner/runner.go
@@ -3,9 +3,9 @@ package runner
import (
"context"
"errors"
- "github.com/datadog/stratus-red-team/v2/internal/providers"
"github.com/datadog/stratus-red-team/v2/internal/state"
"github.com/datadog/stratus-red-team/v2/pkg/stratus"
+ "github.com/datadog/stratus-red-team/v2/pkg/stratus/useragent"
"github.com/google/uuid"
"log"
"path/filepath"
@@ -51,7 +51,7 @@ func NewRunnerWithContext(ctx context.Context, technique *stratus.AttackTechniqu
StateManager: stateManager,
UniqueCorrelationID: uuid,
TerraformManager: NewTerraformManagerWithContext(
- ctx, filepath.Join(stateManager.GetRootDirectory(), "terraform"), providers.GetStratusUserAgentForUUID(uuid),
+ ctx, filepath.Join(stateManager.GetRootDirectory(), "terraform"), useragent.GetStratusUserAgentForUUID(uuid),
),
Context: ctx,
}
diff --git a/v2/internal/providers/main.go b/v2/pkg/stratus/useragent/user_agent.go
similarity index 72%
rename from v2/internal/providers/main.go
rename to v2/pkg/stratus/useragent/user_agent.go
index c568c3c05..586fd5a46 100644
--- a/v2/internal/providers/main.go
+++ b/v2/pkg/stratus/useragent/user_agent.go
@@ -1,10 +1,12 @@
-package providers
+package useragent
import (
"fmt"
"github.com/google/uuid"
)
+// Has to be in a separate package to avoid circular dependencies
+
const StratusUserAgentPrefix = "stratus-red-team"
func GetStratusUserAgentForUUID(uuid uuid.UUID) string {
diff --git a/v2/tools/doc.tpl b/v2/tools/doc.tpl
index fe48584c4..d1e1777c1 100644
--- a/v2/tools/doc.tpl
+++ b/v2/tools/doc.tpl
@@ -1,29 +1,46 @@
---
-title: {{.FriendlyName}}
+title: {{.Technique.FriendlyName}}
---
-# {{.FriendlyName}}
+# {{.Technique.FriendlyName}}
-{{ if .IsSlow }} slow {{ end }}
-{{ if .IsIdempotent }} idempotent {{ end }}
+{{ if .Technique.IsSlow }} slow {{ end }}
+{{ if .Technique.IsIdempotent }} idempotent {{ end }}
-Platform: {{FormatPlatformName .Platform}}
+Platform: {{FormatPlatformName .Technique.Platform}}
## MITRE ATT&CK Tactics
-{{JoinTactics .MitreAttackTactics "\n- " "\n- "}}
+{{JoinTactics .Technique.MitreAttackTactics "\n- " "\n- "}}
## Description
-{{.Description}}
+{{.Technique.Description}}
## Instructions
```bash title="Detonate with Stratus Red Team"
-stratus detonate {{.ID}}
-```{{ if .Detection }}
+stratus detonate {{.Technique.ID}}
+```{{ if .Technique.Detection }}
## Detection
-{{ .Detection }}
+{{ .Technique.Detection }}
+{{ end }}
+{{ if .DetonationLogs }}
+## Detonation logs new!
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+{{range $event := .DetonationLogs.EventNames }}
+- `{{ $event }}`
+{{end}}
+
+??? "View raw detonation logs"
+
+ ```json hl_lines="{{range $i, $line := .DetonationLogs.EventNameLines}}{{if $i}} {{end}}{{$line}}{{end}}"
+
+ {{ .DetonationLogs.RawLogs }}
+ ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).
{{ end }}
\ No newline at end of file
diff --git a/v2/tools/generate-docs.go b/v2/tools/generate-docs.go
index eb9a9b03e..cfbd1fb7f 100644
--- a/v2/tools/generate-docs.go
+++ b/v2/tools/generate-docs.go
@@ -23,6 +23,7 @@ func main() {
index := NewIndex(techniques).Values()
if err := GenerateTechDocs(docsDirectory, techniques, index); err != nil {
+ fmt.Fprintln(os.Stderr, "Could not generate techniques documentation")
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
@@ -30,6 +31,7 @@ func main() {
// Write a single index file with all techniques. File is enconded in YAML.
yamlIndex := filepath.Join(docsDirectory, "index.yaml")
if err := GenerateYAML(yamlIndex, index); err != nil {
+ fmt.Fprintln(os.Stderr, "Could not generate YAML index")
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
diff --git a/v2/tools/generate-techniques-documentation.go b/v2/tools/generate-techniques-documentation.go
index ff9e1146d..b41744d2e 100644
--- a/v2/tools/generate-techniques-documentation.go
+++ b/v2/tools/generate-techniques-documentation.go
@@ -2,6 +2,9 @@ package main
import (
"bytes"
+ "encoding/json"
+ "errors"
+ "fmt"
"log"
"os"
"path/filepath"
@@ -13,6 +16,12 @@ import (
"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
)
+type DetonationLogs struct {
+ EventNames []string
+ RawLogs string
+ EventNameLines []int
+}
+
func GenerateTechDocs(docsDirectory string, techniques []*stratus.AttackTechnique, index map[stratus.Platform]map[string][]*stratus.AttackTechnique) error {
techniqueTemplate, err := os.ReadFile("tools/doc.tpl")
if err != nil {
@@ -45,7 +54,14 @@ func GenerateTechDocs(docsDirectory string, techniques []*stratus.AttackTechniqu
result := ""
buf := bytes.NewBufferString(result)
formatTechniqueDescription(technique)
- err := tpl.Execute(buf, technique)
+ templateInput := struct {
+ Technique *stratus.AttackTechnique
+ DetonationLogs *DetonationLogs
+ }{
+ Technique: technique,
+ DetonationLogs: findDetonationLogs(technique),
+ }
+ err := tpl.Execute(buf, templateInput)
if err != nil {
return err
}
@@ -99,6 +115,50 @@ func GenerateTechDocs(docsDirectory string, techniques []*stratus.AttackTechniqu
return nil
}
+func findDetonationLogs(technique *stratus.AttackTechnique) *DetonationLogs {
+ data, err := os.ReadFile("../docs/detonation-logs/" + technique.ID + ".json")
+ if err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ return nil // no detonation logs
+ }
+ log.Fatalf("unable to read detonation logs for technique %s: %v", technique.ID, err)
+ }
+
+ var logs []map[string]interface{}
+ if err := json.Unmarshal(data, &logs); err != nil {
+ println("unable to parse JSON detonation logs for technique " + technique.ID + ": " + err.Error())
+ return nil
+ }
+
+ // Unique event names
+ var eventNamesSet = make(map[string]bool)
+ for _, event := range logs {
+ eventName := fmt.Sprintf("%s:%s", strings.TrimSuffix(event["eventSource"].(string), ".amazonaws.com"), event["eventName"].(string))
+ if _, ok := eventNamesSet[eventName]; !ok {
+ eventNamesSet[eventName] = true
+ }
+ }
+
+ var eventNames []string
+ for k := range eventNamesSet {
+ eventNames = append(eventNames, k)
+ }
+
+ rawLogs := strings.ReplaceAll(string(data), "\n", "\n\t") // indent for markdown
+ var eventNameLines []int
+ for lineNo, line := range strings.Split(rawLogs, "\n") {
+ if strings.Contains(line, "\"eventName\":") {
+ eventNameLines = append(eventNameLines, lineNo+1)
+ }
+ }
+
+ return &DetonationLogs{
+ EventNames: eventNames,
+ RawLogs: rawLogs,
+ EventNameLines: eventNameLines,
+ }
+}
+
func formatTechniqueDescription(technique *stratus.AttackTechnique) {
technique.Description = strings.ReplaceAll(technique.Description, "Warm-up:", "Warm-up:")
technique.Description = strings.ReplaceAll(technique.Description, "Detonation:", "Detonation:")