| Concept | AWS | Azure | Action | Attack | Signal | Notes |
|---|---|---|---|---|---|---|
| Identity creation | iam:CreateUser | Create User / Service Principal | Create new identity | Persistence | CreateUser / AuditLogs (Add user) | Often followed by keys/roles |
| Credential creation | iam:CreateAccessKey | Add client secret / certificate | Generate credentials | Long-term persistence | CreateAccessKey / Add credential | Equivalent to password dump |
| Credential usage | accessKeyId usage | OAuth token usage | Authenticate API calls | Initial access | userIdentity.accessKeyId / Sign-in logs | Track unusual usage |
| Credential cleanup | iam:DeleteAccessKey | Remove credential | Remove access | Anti-forensics | DeleteAccessKey | Cleanup indicator |
| Console access enable | iam:CreateLoginProfile | Set password | Enable interactive login | Persistence | CreateLoginProfile | Enables portal login |
| Identity enumeration | ListUsers / ListRoles | List users / directory roles | Discover identities | Recon | ListUsers / AuditLogs | Early attacker phase |
| Permission inspection | iam:GetPolicyVersion | Get role definition / permissions | View permissions | Recon before escalation | GetPolicyVersion | Often chained |
| Privilege escalation (policy attach) | iam:AttachUserPolicy | Assign RBAC role | Grant permissions | Escalation | AttachUserPolicy / RoleAssignment | Look for admin roles |
| Privilege escalation (inline) | iam:PutUserPolicy | Custom role / inline permissions | Add hidden permissions | Stealth escalation | PutUserPolicy | Harder to detect |
| Privilege escalation (role) | iam:AttachRolePolicy | Assign role to service principal | Elevate role permissions | Escalation | AttachRolePolicy | Critical |
| Privilege escalation (policy version) | iam:SetDefaultPolicyVersion | Modify role definition | Activate more permissive version | Classic privesc | SetDefaultPolicyVersion | AWS-specific but concept exists |
| Group-based escalation | iam:AddUserToGroup | Add user to group | Inherit permissions | Escalation | AddUserToGroup | Check group privileges |
| Role creation | iam:CreateRole | Create Managed Identity / App Registration | Create privileged identity | Persistence | CreateRole | Check trust |
| Trust modification | iam:UpdateAssumeRolePolicy | Update trust / app permissions | Allow new principals | Lateral movement | UpdateAssumeRolePolicy | Very dangerous |
| Identity pivot | sts:AssumeRole | Token acquisition (OAuth) / Managed Identity usage | Act as another identity | Lateral movement | AssumeRole / Sign-in logs | Track issuer |
| Role assignment to resource | iam:PassRole | Assign Managed Identity to resource | Resource runs as role | Execution privesc | Seen via resource creation | NOT directly logged in AWS |
| Compute deployment | RunInstances | Create VM | Deploy compute | Execution | RunInstances / VM creation logs | Less stealthy |
| Serverless deployment | CreateFunction | Create Function App | Deploy code execution | Execution | CreateFunction / Function creation | Common attacker path |
| Code execution | Invoke | Invoke Function | Execute payload | Execution | Invoke / Function execution logs | Equivalent to malware |
| Code modification | UpdateFunctionCode | Update Function | Modify payload | Persistence | UpdateFunctionCode | Backdoor |
| Storage enumeration | ListBuckets | List Storage Accounts / Containers | Discover data | Recon | ListBuckets | Pre-exfil |
| Storage enumeration (objects) | ListObjects | List Blobs | Discover files | Recon | ListObjects | Targeting |
| Data exfiltration | GetObject | Get Blob | Download data | Exfiltration | GetObject / Storage access logs | High signal |
| Data staging | PutObject | Put Blob | Upload data | Staging / exfil | PutObject | Check IP |
| Data deletion | DeleteObject | Delete Blob | Remove data | Anti-forensics | DeleteObject | Cleanup |
| Replication abuse | PutBucketReplication | Replication config | Persist exfil channel | Persistence | PutBucketReplication | Advanced attack |
| Logging discovery | DescribeLogGroups | List diagnostic settings | Discover logs | Recon | DescribeLogGroups | Pre-evasion |
| Logging disable | StopLogging | Disable diagnostic logs | Blind detection | Evasion | StopLogging | Critical |
| Log deletion | DeleteLogGroup | Delete logs | Cover tracks | Evasion | DeleteLogGroup | Critical |
| Security detection discovery | ListDetectors | List Defender alerts | Discover detection | Recon | ListDetectors | Pre-evasion |
| Security disable | DeleteDetector | Disable Defender / security | Evade detection | Evasion | DeleteDetector | High severity |
| API execution method | aws-cli / boto3 | Azure CLI / REST API | Execution interface | Human attacker | userAgent | Key behavioral signal |
BLUE TEAM / THREAT HUNT / CLOUD