Add references to docs (#493)

DataDog · Mar 25, 2024 · d2d3091 · d2d3091
1 parent d519da9
commit d2d3091
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 0 deletions.
diff --git a/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md b/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md
@@ -31,6 +31,7 @@ References:
 
 - https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac (evidence of usage in the wild)
 - https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#session-manager
+- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md b/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md
@@ -39,6 +39,8 @@ References:
 - [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://www.invictus-ir.com/news/ransomware-in-the-cloud
+- https://dfir.ch/posts/aws_ransomware/
 
 
 ## Instructions

diff --git a/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md b/docs/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect.md
@@ -32,6 +32,7 @@ References:
 
 - https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins
 - https://sysdig.com/blog/2023-global-cloud-threat-report/
+- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
 
 
 ## Instructions

diff --git a/v2/internal/attacktechniques/aws/execution/ssm-start-session/main.go b/v2/internal/attacktechniques/aws/execution/ssm-start-session/main.go
@@ -36,6 +36,7 @@ References:
 
 - https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac (evidence of usage in the wild)
 - https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/#session-manager
+- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
 `,
 		Detection: `
 Identify, through CloudTrail's <code>StartSession</code> event, when a user is starting an interactive session to multiple EC2 instances. Sample event:

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.go b/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.go
@@ -49,6 +49,8 @@ References:
 - [Ransomware in the cloud](https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82)
 - https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
 - https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
+- https://www.invictus-ir.com/news/ransomware-in-the-cloud
+- https://dfir.ch/posts/aws_ransomware/
 `,
 		Detection: `
 You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. 

diff --git a/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-ssh-public-key/main.go b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-ssh-public-key/main.go
@@ -39,6 +39,7 @@ References:
 
 - https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/#hands-on-keyboard-activity-begins
 - https://sysdig.com/blog/2023-global-cloud-threat-report/
+- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/
 `,
 		Detection: `
 Identify, through CloudTrail's <code>SendSSHPublicKey</code> event, when a user is adding an SSH key to multiple EC2 instances. Sample event: