Skip to content

Instantly share code, notes, and snippets.

@invictus-ir
Last active October 23, 2024 18:21
Show Gist options
  • Save invictus-ir/06d45ad738e3cc90bc4afa80f6a72c0a to your computer and use it in GitHub Desktop.
Save invictus-ir/06d45ad738e3cc90bc4afa80f6a72c0a to your computer and use it in GitHub Desktop.
An overview of CloudTrail events that are interesting from an Incident Response perspective
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Exfiltration Impact
ConsoleLogin StartInstance CreateAccessKey CreateGroup StopLogging GetSecretValue ListUsers AssumeRole CreateSnapShot PutBucketVersioning
PasswordRecoveryRequested StartInstances CreateUser CreateRole DeleteTrail GetPasswordData ListRoles SwitchRole ModifySnapshotAttributes RunInstances
Invoke CreateNetworkAclEntry UpdateAccessKey UpdateTrail RequestCertificate ListIdentities ModifyImageAttribute DeleteAccountPublicAccessBlock
SendCommand CreateRoute PutGroupPolicy PutEventSelectors UpdateAssumeRolePolicy ListAccessKeys SharedSnapshotCopyInitiated
CreateLoginProfile PutRolePolicy DeleteFlowLogs ListServiceQuotas SharedSnapshotVolumeCreated
AuthorizeSecurityGroupEgress PutUserPolicy DeleteDetector ListInstanceProfiles ModifyDBSnapshotAttribute
AuthorizeSecurityGroupIngress AddRoleToInstanceProfile DeleteMembers ListBuckets PutBucketPolicy
CreateVirtualMFADevice AddUserToGroup DeleteSnapshot ListGroups PutBucketAcl
CreateConnection DeactivateMFADevice GetSendQuota
ApplySecurityGroupsToLoadBalancer DeleteCertificate GetCallerIdentity
SetSecurityGroups DeleteConfigRule DescribeInstances
AuthorizeDBSecurityGroupIngress DeleteAccessKey GetBucketAcl
CreateDBSecurityGroup LeaveOrganization GetBucketVersioning
ChangePassword DisassociateFromMasterAccount GetAccountAuthorizationDetails
DisassociateMembers
StopMonitoringMembers
@invictus-ir
Copy link
Author

Thanks @JordanJHoffman always nice to hear that people find it useful.

@LuisDeSantana
Copy link

Great work guys!

@christopherwatkins901
Copy link

Thank you all for what you do!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment