Add reference to an attack creating IAM access keys (#384)

DataDog · Jul 12, 2023 · 9e71abd · 9e71abd
1 parent e9da1c0
commit 9e71abd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md b/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md
@@ -28,6 +28,9 @@ Establishes persistence by creating an access key on an existing IAM user.
 
 - Create an IAM access key on the user.
 
+References:
+- https://sysdig.com/blog/scarleteel-2-0/
+
 
 ## Instructions
 

diff --git a/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go b/v2/internal/attacktechniques/aws/persistence/iam-backdoor-user/main.go
@@ -26,12 +26,16 @@ Warm-up:
 Detonation: 
 
 - Create an IAM access key on the user.
+
+References:
+- https://sysdig.com/blog/scarleteel-2-0/
 `,
 		Detection: `
 Through CloudTrail's <code>CreateAccessKey</code> event. This event can hardly be considered suspicious by itself, unless
 correlated with other indicators.
 '`,
 		Platform:                   stratus.AWS,
+
 		IsIdempotent:               false, // iam:CreateAccessKey can only be called twice (limit of 2 access keys per user)
 		MitreAttackTactics:         []mitreattack.Tactic{mitreattack.Persistence, mitreattack.PrivilegeEscalation},
 		PrerequisitesTerraformCode: tf,