DataDog · christophetd · Aug 26, 2024 · Aug 26, 2024
diff --git a/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md b/docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
@@ -54,6 +54,8 @@ See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detec
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
+- `ssm:SendCommand`
+
 - `ssm:DescribeInstanceInformation`
 
 - `sts:GetCallerIdentity`
@@ -62,8 +64,6 @@ The following CloudTrail events are generated when this technique is detonated[^
 
 - `ssm:GetCommandInvocation`
 
-- `ssm:SendCommand`
-
 
 ??? "View raw detonation logs"
 

diff --git a/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md b/docs/attack-techniques/AWS/aws.execution.ec2-user-data.md
@@ -61,14 +61,14 @@ provisioned before instantiation.
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `ec2:DescribeInstances`
-
-- `ec2:StartInstances`
-
 - `ec2:ModifyInstanceAttribute`
 
 - `ec2:StopInstances`
 
+- `ec2:DescribeInstances`
+
+- `ec2:StartInstances`
+
 
 ??? "View raw detonation logs"
 

diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md b/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md
@@ -71,12 +71,12 @@ While this technique uses a single call to <code>ssm:SendCommand</code> on sever
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
+- `ssm:DescribeInstanceInformation`
+
 - `ssm:GetCommandInvocation`
 
 - `ssm:SendCommand`
 
-- `ssm:DescribeInstanceInformation`
-
 
 ??? "View raw detonation logs"
 

diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion.md
@@ -39,6 +39,8 @@ References:
 - [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-client-side-encryption.md
@@ -33,6 +33,8 @@ References:
 
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md
@@ -41,6 +41,8 @@ References:
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
 - https://www.invictus-ir.com/news/ransomware-in-the-cloud
 - https://dfir.ch/posts/aws_ransomware/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md b/docs/attack-techniques/AWS/aws.persistence.iam-create-backdoor-role.md
@@ -48,6 +48,7 @@ an external, fictitious attack AWS account.
 References:
 
 - https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md b/docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md
@@ -27,6 +27,10 @@ Establishes persistence by backdooring a lambda function to allow its invocation
 
 - Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
 
+References:
+
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+
 
 ## Instructions
 

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-batch-deletion/main.go b/v2/internal/attacktechniques/aws/impact/s3-ransomware-batch-deletion/main.go
@@ -50,6 +50,8 @@ References:
 - [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 `,
 		Detection: `
 You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-client-side-encryption/main.go b/v2/internal/attacktechniques/aws/impact/s3-ransomware-client-side-encryption/main.go
@@ -49,6 +49,8 @@ References:
 
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 `,
 		Detection: `
 You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.go b/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.go
@@ -51,6 +51,8 @@ References:
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
 - https://www.invictus-ir.com/news/ransomware-in-the-cloud
 - https://dfir.ch/posts/aws_ransomware/
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
+- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
 `,
 		Detection: `
 You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 

diff --git a/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go b/v2/internal/attacktechniques/aws/persistence/iam-create-backdoor-role/main.go
@@ -43,6 +43,7 @@ Detonation:
 References:
 
 - https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
 `,
 		Detection: `
 - Through [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-resources.html#access-analyzer-iam-role), 

diff --git a/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go b/v2/internal/attacktechniques/aws/persistence/lambda-backdoor-function/main.go
@@ -28,6 +28,10 @@ Warm-up:
 Detonation: 
 
 - Modify the Lambda function resource-base policy to allow lambda:InvokeFunction from an external, fictitious AWS account.
+
+References:
+
+- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/
 `,
 		Detection: `
 - Using CloudTrail's <code>AddPermission20150331</code> and <code>AddPermission20150331v2</code> events.