feat(targeting): add cloud and container collection/interaction rules

Maijin · Maijin · commit 2cb34aae9aa9 · 2026-01-19T17:58:13.000+08:00
This adds rules for:

- enumerating AWS resources (CloudFormation, CloudTrail, DirectConnect, EC2, IAM, S3, Support)

- stealing credentials for AWS, GCP, Cloudflare

- stealing credentials for Docker and Kubernetes

Rules are categorized into host-interaction and collection namespaces.
diff --git a/collection/cloud/aws/access-aws-credentials.yml b/collection/cloud/aws/access-aws-credentials.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: access AWS credentials
+    namespace: collection/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+    examples:
+      - ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
+  features:
+    - or:
+      - string: ".aws/config"
+      - string: ".aws/credentials"
+      - string: ".aws/credentials.gpg"
+      - string: ".boto"
+      - string: ".s3backer_passwd"
+      - string: ".passwd-s3fs"
+      - string: "/etc/passwd-s3fs"
+      - string: ".s3cfg"
+      - string: "s3proxy.conf"
+      - string: ".s3ql/authinfo2"
diff --git a/collection/cloud/gcp/access-gcp-credentials.yml b/collection/cloud/gcp/access-gcp-credentials.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: access GCP credentials
+    namespace: collection/cloud/gcp
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+    examples:
+      - ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
+  features:
+    - or:
+      - string: ".config/gcloud/access_tokens.db"
+      - string: ".config/gcloud/credentials.db"
diff --git a/collection/cloud/other/access-cloudflare-credentials.yml b/collection/cloud/other/access-cloudflare-credentials.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: access Cloudflare credentials
+    namespace: collection/cloud/other
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+    examples:
+      - ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
+  features:
+    - or:
+      - string: "/etc/cloudflared/config.yml"
diff --git a/collection/container/docker/access-docker-credentials.yml b/collection/container/docker/access-docker-credentials.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: access Docker credentials
+    namespace: collection/container/docker
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+    examples:
+      - ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
+  features:
+    - or:
+      - string: ".docker/config.json"
+      - string: ".docker/ca.pem"
diff --git a/collection/container/kubernetes/access-kubernetes-credentials.yml b/collection/container/kubernetes/access-kubernetes-credentials.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: access Kubernetes credentials
+    namespace: collection/container/kubernetes
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Credential Access::Unsecured Credentials::Credentials In Files [T1552.001]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+    examples:
+      - ed40bce040778e2227c869dac59f54c320944e19f77543954f40019e2f2b0c35
+  features:
+    - or:
+      - string: "/etc/eksctl/metadata.env"
diff --git a/host-interaction/cloud/aws/enumerate-aws-cloudformation.yml b/host-interaction/cloud/aws/enumerate-aws-cloudformation.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: enumerate AWS CloudFormation
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/cloudformation/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws cloudformation describe-account-limits"
+      - string: "aws cloudformation describe-stacks"
+      - string: "aws cloudformation list-exports"
+      - string: "aws cloudformation list-stacks"
diff --git a/host-interaction/cloud/aws/enumerate-aws-cloudtrail.yml b/host-interaction/cloud/aws/enumerate-aws-cloudtrail.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: enumerate AWS CloudTrail
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws cloudtrail describe-trails"
+      - string: "aws cloudtrail list-public-keys"
diff --git a/host-interaction/cloud/aws/enumerate-aws-direct-connect.yml b/host-interaction/cloud/aws/enumerate-aws-direct-connect.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: enumerate AWS Direct Connect
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/directconnect/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws directconnect describe-connections"
+      - string: "aws directconnect describe-interconnects"
+      - string: "aws directconnect describe-virtual-gateways"
+      - string: "aws directconnect describe-virtual-interfaces"
diff --git a/host-interaction/cloud/aws/enumerate-aws-ec2.yml b/host-interaction/cloud/aws/enumerate-aws-ec2.yml
@@ -0,0 +1,64 @@
+rule:
+  meta:
+    name: enumerate AWS EC2
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+      - Discovery::System Information Discovery [T1082]
+      - Discovery::System Network Configuration Discovery [T1016]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/ec2/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws ec2 describe-account-attributes"
+      - string: "aws ec2 describe-addresses"
+      - string: "aws ec2 describe-bundle-tasks"
+      - string: "aws ec2 describe-classic-link-instances"
+      - string: "aws ec2 describe-conversion-tasks"
+      - string: "aws ec2 describe-customer-gateways"
+      - string: "aws ec2 describe-dhcp-options"
+      - string: "aws ec2 describe-export-tasks"
+      - string: "aws ec2 describe-flow-logs"
+      - string: "aws ec2 describe-host-reservations"
+      - string: "aws ec2 describe-hosts"
+      - string: "aws ec2 describe-images"
+      - string: "aws ec2 describe-import-image-tasks"
+      - string: "aws ec2 describe-import-snapshot-tasks"
+      - string: "aws ec2 describe-instance-status"
+      - string: "aws ec2 describe-instances"
+      - string: "aws ec2 describe-internet-gateways"
+      - string: "aws ec2 describe-key-pairs"
+      - string: "aws ec2 describe-moving-addresses"
+      - string: "aws ec2 describe-nat-gateways"
+      - string: "aws ec2 describe-network-acls"
+      - string: "aws ec2 describe-network-interfaces"
+      - string: "aws ec2 describe-placement-groups"
+      - string: "aws ec2 describe-reserved-instances"
+      - string: "aws ec2 describe-reserved-instances-listings"
+      - string: "aws ec2 describe-reserved-instances-modifications"
+      - string: "aws ec2 describe-route-tables"
+      - string: "aws ec2 describe-scheduled-instances"
+      - string: "aws ec2 describe-security-groups"
+      - string: "aws ec2 describe-snapshots"
+      - string: "aws ec2 describe-spot-datafeed-subscription"
+      - string: "aws ec2 describe-spot-fleet-requests"
+      - string: "aws ec2 describe-spot-instance-requests"
+      - string: "aws ec2 describe-subnets"
+      - string: "aws ec2 describe-tags"
+      - string: "aws ec2 describe-volume-status"
+      - string: "aws ec2 describe-volumes"
+      - string: "aws ec2 describe-vpc-classic-link"
+      - string: "aws ec2 describe-vpc-classic-link-dns-support"
+      - string: "aws ec2 describe-vpc-endpoints"
+      - string: "aws ec2 describe-vpc-peering-connections"
+      - string: "aws ec2 describe-vpcs"
+      - string: "aws ec2 describe-vpn-connections"
+      - string: "aws ec2 describe-vpn-gateways"
diff --git a/host-interaction/cloud/aws/enumerate-aws-iam.yml b/host-interaction/cloud/aws/enumerate-aws-iam.yml
@@ -0,0 +1,34 @@
+rule:
+  meta:
+    name: enumerate AWS IAM
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Account Discovery::Cloud Account [T1087.004]
+      - Discovery::Permission Groups Discovery::Cloud Groups [T1069.003]
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/iam/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws iam get-account-authorization-details"
+      - string: "aws iam get-account-password-policy"
+      - string: "aws iam get-account-summary"
+      - string: "aws iam list-account-aliases"
+      - string: "aws iam list-groups"
+      - string: "aws iam list-instance-profiles"
+      - string: "aws iam list-open-id-connect-providers"
+      - string: "aws iam list-policies"
+      - string: "aws iam list-roles"
+      - string: "aws iam list-saml-providers"
+      - string: "aws iam list-server-certificates"
+      - string: "aws iam list-users"
+      - string: "aws iam list-virtual-mfa-devices"
+      - string: "aws iam get-credential-report"
diff --git a/host-interaction/cloud/aws/enumerate-aws-s3.yml b/host-interaction/cloud/aws/enumerate-aws-s3.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: enumerate AWS S3
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/s3/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws s3 ls"
diff --git a/host-interaction/cloud/aws/enumerate-aws-support-cases.yml b/host-interaction/cloud/aws/enumerate-aws-support-cases.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: enumerate AWS support cases
+    namespace: host-interaction/cloud/aws
+    authors:
+      - maximemorin@google.com
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Discovery::Cloud Service Discovery [T1526]
+    references:
+      - https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/
+      - https://docs.aws.amazon.com/cli/latest/reference/support/index.html
+    examples:
+      - a1e9cd08073e4af3256b31e4b42f3aa69be40862b3988f964e96228f91236593
+  features:
+    - or:
+      - string: "aws support describe-cases"
