The MITRE ATT&CK Framework is indispensable for understanding adversary behavior, especially in cloud environments. It provides a structured taxonomy of tactics and techniques that defenders rely on to build and validate their security architectures. As a framework, it is deliberately consistent and abstract; the techniques are intended to be interpreted and operationalized by practitioners in their specific environments.
Consider a sub-technique like T1078.004 (Valid Accounts: Cloud Accounts); the framework indicates that adversaries may obtain and abuse credentials for cloud accounts to gain initial access, establish persistence, or escalate privileges. The interpretation work, however, is where things get interesting.
There are several distinct procedures under T1078.004 that an attacker could leverage: creating a new IAM user, attaching a login profile for console access, generating long-lived access keys, or assuming cross-account roles. Each procedure maps to a different API call, a different CloudTrail event, and a different detection opportunity. Translating T1078.004 into the corresponding AWS CLI command:
aws iam create-login-profile --user-name john-doe --password @3wewSwew
requires piecing together information from multiple sources, cross-referencing CloudTrail event names, and reverse-engineering what a real attack chain looks like at the CLI level.
The AWS Threat Techniques Catalog has done excellent work in this space, not only providing AWS-specific context for existing MITRE techniques but also introducing techniques not available in the MITRE ATT&CK and increasing overall understanding of cloud attack behavior. However, there are still gaps practitioners need to address before they become productive. Given that we address this gap at Mitigant and understand exactly how we have navigated these challenges, we thought it was worth closing it by providing a resource that helps defenders be more effective. We aim to complement the existing work by adding the executable layer: actual CLI commands, detection mappings, and structured definitions that can be plugged directly into automated security workflows.
Introducing the Mitigant Threat Catalog
The Mitigant Threat Catalog was designed to close the gaps I mentioned in the last paragraphs. We recently published it as a free, publicly available resource. It is an interactive, open catalog of cloud attack techniques that operationalizes MITRE ATT&CK cloud techniques into actionable, executable formats. Each technique in the catalog is expressed in two forms:
AWS CLI Commands: Actual AWS CLI commands with realistic parameters and simulated output that mirrors what you would see in live AWS environments, along with the corresponding CloudTrail event names your detection rules should trigger on. If you are writing Sigma rules or tuning your SIEM, this information is essential.
Cloud Attack Language (CAL) Definitions. Each technique also ships with a complete YAML definition that can be loaded directly into the Attack Builder and executed in your browser, or taken and integrated into your own workflows. The Cloud Attack Language is a YAML-based schema for defining multi-step cloud attacks, built on the popular Atomic Red Team format. It adds AWS service-type tagging and explicit step chaining designed for cloud attack scenarios. A comprehensive description of CAL is available here.
Here is what CAL looks like:
name: IAM Credential Persistence
attack_technique: T1078.004
description: Creates a login profile for persistence
supported_platforms:
- iaas:aws
service-type: IAM
input_arguments:
user_name:
description: Option --user-name for type string
default: john-doe
password:
description: Option --password for type string
default: "@3wewSwew"
attack_step_definitions:
- step: 1
command: aws iam create-user --user-name ${user_name}
- step: 2
command: >
aws iam create-login-profile
--user-name ${user_name} --password ${password}
cleanup_command: >
aws iam delete-login-profile --user-name ${user_name}
- step: 3
command: aws iam create-access-key --user-name ${user_name}
In addition to the AWS CLI commands and CAL definitions, each technique includes detection and mitigation guidance with practical, technique-specific recommendations.
Mitigant Threat Catalog launches with 30 techniques spanning 12 of 14 ATT&CK tactics and covering 20 AWS services: from IAM credential abuse (T1078) to S3 ransomware via SSE-C encryption (T1486.A001) and AWS Organizations manipulation (T1666).
Why Free and Public?
Because Threat-Informed Defense should not be gated. I have consistently shared this kind of knowledge publicly, including MITRE ATT&CK breakdowns, collaborations with Sekoia on Scattered Spider detection, or joint work with Cado Security on cloud forensics. The goal has always been to equip cloud security practitioners with practical, actionable resources. Mitigant Threat Catalog is a natural extension of that effort.
What's Next
This is a living catalog. I will keep adding techniques, expanding AWS service coverage, and keeping pace with new ATT&CK releases as AWS services evolve and new APIs introduce new attack surfaces. The Cloud Attack Language will continue to evolve alongside it. If you have suggestions for techniques to add or spot something that could be improved, I would love to hear from you at contact@mitigant.io.
Explore the catalog: threats.mitigant.io
For the full deep dive, including prior MITRE ATT&CK analysis work, partner collaborations, and a comprehensive description of the Cloud Attack Language, see the complete post on the Mitigant blog.
Top comments (0)