From Static Threat Feeds to Live Fire Drills: How the Mitigant Threat Catalog Turns MITRE ATT&CK into Executable Cloud Attacks + Video

By /

Listen to this Post

Featured Image

Introduction:

For years, cloud defenders have been trapped in a frustrating paradox: the industry’s most authoritative threat intelligence frameworks, like MITRE ATT&CK, describe adversary behavior in abstract terms, but they stop short of telling you exactly which API call to look for or what command an attacker actually types. The Mitigant Threat Catalog shatters that abstraction by transforming 92 MITRE-mapped cloud attack techniques across 32 AWS services into real, executable AWS CLI commands that you can study, copy, and run in a safe environment. This operational layer bridges the chasm between reading about T1562.008 (Disable Cloud Logs) and understanding what `aws cloudtrail stop-logging –1ame production-trail` looks like in your CloudTrail logs—giving defenders, red teams, and detection engineers a shared, practical reference for validating defenses in the age of AI-accelerated attacks.

Learning Objectives:

  • Translate abstract MITRE ATT&CK techniques into concrete AWS CLI commands and Cloud Attack Language (CAL) YAML definitions.
  • Operationalize attacker knowledge by studying exact CloudTrail event names, detection opportunities, and command syntax for 92 cloud attack techniques.
  • Chain isolated techniques into multi-step attack scenarios using the Attack Builder and the Cloud Attack Language schema.
  • Apply the catalog to detection engineering by grounding SIEM rules in real adversary behavior rather than hypothetical threat models.

You Should Know:

  1. Understanding the Gap: Why Static Descriptions Fail Defenders

The MITRE ATT&CK framework is brilliant for categorizing adversary behavior, but its deliberate abstraction creates a significant operational gap. When a defender reads T1562.008 (Impair Defenses: Disable Cloud Logs), the description tells them adversaries may disable cloud logging to evade detection. But it doesn’t tell them which API call triggers it, what shows up in CloudTrail, or the exact command an attacker would run. Worse, under that single technique, there are multiple procedures: stopping a CloudTrail trail, deleting the trail entirely, narrowing event selectors to exclude certain API calls, removing VPC Flow Logs, or disabling S3 server access logging. Each procedure maps to a different API call, a different CloudTrail event, and a different detection opportunity. Defenders end up digging through multiple sources, piecing together blog posts, cross-referencing CloudTrail event names, and reverse-engineering attack chains from scratch—every single time. The Mitigant Threat Catalog closes this gap by providing the operational layer on top of MITRE ATT&CK, translating each technique into executable AWS CLI commands and CAL definitions.

Step-by-Step: How to Navigate and Use the Catalog

  1. Browse by Tactic or Service: Visit the catalog at https://threats.mitigant.io/ and filter techniques by tactic (e.g., TA0004 Privilege Escalation) or AWS service (e.g., IAM, S3, Lambda).
  2. Select a Technique: Click on any technique, such as T1562.008 (Impair Defenses: Disable Cloud Logs) or T1078.A001 (Valid Accounts: IAM Users).
  3. Review the CAL Definition: Each technique includes a Cloud Attack Language (CAL) YAML definition—an open, human-readable attack-as-code schema that expresses complex, multi-step cloud attacks.
  4. Copy the AWS CLI Command: The catalog provides the exact AWS CLI command for each procedure. For example, to stop a CloudTrail trail: aws cloudtrail stop-logging --1ame production-trail.
  5. Study the CloudTrail Event Names: Each technique highlights the specific CloudTrail event names triggered during the attack, enabling detection engineers to write and tune SIEM rules.
  6. Chain Techniques with the Attack Builder: Use the Attack Builder to combine multiple techniques into multi-step attack scenarios, with CAL definitions serving as a shared blueprint.

  7. Detection Engineering with the Catalog: From Theory to Sigma Rules

The catalog is not just a red team tool—it’s a detection engineer’s dream. By providing exact CloudTrail event names and AWS CLI commands for each technique, it enables defenders to ground their SIEM rules in real adversary behavior rather than hypothetical threat models. For example, if you’re building a detection for T1562.008 (Disable Cloud Logs), you know the CloudTrail event name is `StopLogging` and the command is aws cloudtrail stop-logging --1ame <trail-1ame>. You can then write a Splunk or Microsoft Sentinel query that alerts on `eventName = “StopLogging”` with specific user or IP context.

Step-by-Step: Building a Detection for Cloud Log Disabling

  1. Identify the Technique: Navigate to T1562.008 (Impair Defenses: Disable Cloud Logs) in the catalog.
  2. Extract the CloudTrail Event Name: Note that the technique triggers the `StopLogging` CloudTrail event.
  3. Write a Detection Query: In Splunk, you might use: index=aws_cloudtrail eventName=StopLogging | stats count by userIdentity.arn, sourceIPAddress, eventTime.
  4. Tune the Rule: Add context by correlating with other events, such as `DeleteTrail` or `UpdateTrail` with modified event selectors.
  5. Validate with the Catalog: Run the technique in the Mitigant demo environment to generate real logs and validate that your detection fires correctly.
  6. Iterate: The catalog includes 92 techniques across 32 AWS services, so you can systematically build and validate detections for the entire MITRE ATT&CK Cloud Matrix.

  7. Red and Purple Teaming: Planning Exercises with Executable Blueprints

Red and purple teams can use the catalog as a ready library of cloud attack techniques to plan exercises and reason through multi-step attack paths. The CAL definitions serve as a shared blueprint that both red and blue teams can agree on, eliminating the ambiguity that often plagues purple team exercises.

Step-by-Step: Planning a Multi-Step Attack Scenario

  1. Select a Campaign Objective: For example, simulate a Scattered Spider-style attack that involves initial access via compromised IAM credentials, followed by privilege escalation and data exfiltration.
  2. Chain Techniques Using CAL: Use the Cloud Attack Language to define a multi-step attack. For instance:

– T1078.A001 (Valid Accounts: IAM Users) for initial access
– T1548.005 (Temporary Elevated Cloud Access) for privilege escalation
– T1537 (Transfer Data to Cloud Account) for exfiltration
3. Export the CAL Definition: The catalog provides CAL YAML for each technique, which you can combine into a single attack scenario file.
4. Run in the Mitigant Demo: Sign up for the Mitigant demo to get a ready-to-use environment where you can execute the attack and review the full attack reports.
5. Review Detection Gaps: After the exercise, analyze which detections fired and which missed, then use the catalog to refine your detection rules.
6. Scale to Production: For enterprises, the Mitigant platform (the commercial Adversarial Exposure Validation engine) can safely run these attacks against live cloud environments with guardrails and automatic cleanup.

  1. The Cloud Attack Language (CAL): Attack-as-Code for the Modern Defender

One of the most innovative aspects of the Mitigant Threat Catalog is the Cloud Attack Language (CAL)—an open, human-readable attack-as-code schema that expresses complex, multi-step cloud attacks as YAML. CAL is not just a documentation format; it’s a executable blueprint that can be shared, versioned, and automated.

Example CAL Definition for T1562.008 (Disable Cloud Logs):

attack:
id: T1562.008
name: Impair Defenses - Disable Cloud Logs
procedure: Stop CloudTrail Trail
aws_cli: aws cloudtrail stop-logging --1ame production-trail
cloudtrail_events:
- StopLogging
detection_opportunities:
- Monitor for StopLogging events from unusual IPs
- Correlate with subsequent DeleteTrail or UpdateTrail events
mitigation:
- Enable CloudTrail log validation
- Set up S3 bucket policies to prevent log deletion

Step-by-Step: Creating a Custom CAL Definition

  1. Identify the Attack Chain: Define the sequence of techniques you want to simulate.
  2. Retrieve CAL Definitions: Copy the CAL YAML for each technique from the catalog.
  3. Combine into a Single YAML File: Merge the definitions into a single attack scenario file.
  4. Add Custom Logic: Extend the CAL schema with custom parameters, such as specific IAM role names or S3 bucket targets.
  5. Validate the Syntax: Use a YAML linter to ensure the file is correctly formatted.
  6. Execute in the Mitigant Platform: Upload the CAL file to the Mitigant platform to run the attack scenario in your environment.

  7. Operationalizing the Catalog: From Browser to Live Environment

The catalog is a free, open community resource that requires no account, email, or payment to browse techniques and copy commands. However, to actually run an attack and see it work end-to-end, you need to use the Mitigant demo, which gives you a ready-to-use environment. For enterprise-scale operations, the Mitigant platform extends coverage to Microsoft Azure and Google Cloud, with guardrails and automatic cleanup.

Step-by-Step: Running a Technique in the Demo Environment

  1. Sign Up for the Demo: Visit https://mitigant.io/sign-up-demo to get instant access to a ready-to-use environment.
  2. Select a Technique: Browse the catalog and choose a technique you want to execute.
  3. Copy the AWS CLI Command: Copy the exact command from the catalog page.
  4. Paste into the Demo Console: Use the demo environment’s browser-based console to run the command.
  5. Review the Attack Report: The demo generates a full attack report showing what happened, including CloudTrail events and detection opportunities.
  6. Iterate: Run multiple techniques, chain them into attacks, and refine your detections based on the results.

  7. Linux and Windows Commands for Threat Hunting and Forensics

While the catalog focuses on AWS CLI commands, defenders often need to correlate cloud activity with on-premises or endpoint data. Here are some essential commands for threat hunting and forensics related to cloud attacks:

Linux Commands:

  • Check for AWS CLI activity: `grep -i “aws” ~/.bash_history` (review command history for AWS CLI usage)
  • Examine CloudTrail logs locally: `jq ‘.Records[] | select(.eventName==”StopLogging”)’ cloudtrail-log.json` (parse CloudTrail logs for specific events)
  • Monitor for IAM role assumptions: `aws sts get-caller-identity` (verify current IAM identity)
  • Search for suspicious SSM commands: `grep -i “ssm” /var/log/secure` (check for Systems Manager activity)

Windows Commands:

  • Check PowerShell history: `Get-Content (Get-PSReadlineOption).HistorySavePath | Select-String “aws”` (review PowerShell command history for AWS CLI usage)
  • Examine Event Logs for CloudTrail API calls: `Get-WinEvent -LogName “Security” | Where-Object {$_.Message -like “CloudTrail”}` (search Windows Security logs for CloudTrail-related events)
  • Monitor for AWS CLI installations: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like “AWS”}` (list installed AWS-related software)

What Undercode Say:

  • Key Takeaway 1: The Mitigant Threat Catalog is a game-changer because it transforms the MITRE ATT&CK framework from a theoretical reference into an operational tool. By providing executable AWS CLI commands and CAL definitions, it eliminates the guesswork that has historically plagued cloud security teams. This is not just another threat intelligence feed—it’s a practical, hands-on resource that empowers defenders to validate their detections and red teams to plan realistic exercises.

  • Key Takeaway 2: The catalog’s focus on AWS is just the beginning. With 92 techniques across 32 services, it already covers the most critical cloud attack vectors, including privilege escalation, defense evasion, persistence, and credential access. The addition of Azure and Google Cloud coverage in the Mitigant platform signals a broader vision: a unified, cross-cloud attack emulation framework that finally gives defenders the operational knowledge they need to stay ahead of adversaries.

Analysis: The timing of this catalog is critical. As the post notes, attackers are increasingly faster and more effective with AI, raising the bar for defender effectiveness. AI is not a shortcut around understanding attacks—it actually raises the bar: better grasp of how attackers operate fuels better AI-powered defensive outcomes. The catalog addresses this by providing high-quality harnesses (executable techniques) that can be used to train AI models, tune detections, and validate defenses. It’s a foundational layer that enables everything from SIEM rule tuning to automated purple teaming. The fact that it’s free and open ensures that even resource-constrained teams can access this operational knowledge, democratizing cloud security in a way that benefits the entire industry.

Prediction:

  • +1 The Mitigant Threat Catalog will become the de facto standard for cloud attack emulation, much like MITRE ATT&CK became the standard for threat intelligence. Its open, community-driven model will encourage contributions from security researchers, cloud providers, and enterprises, rapidly expanding its coverage and accuracy.

  • +1 The Cloud Attack Language (CAL) will evolve into an industry-standard format for describing cloud attacks, enabling seamless sharing of attack scenarios between organizations, tools, and platforms. This will accelerate the development of automated purple teaming and continuous security validation.

  • -1 As the catalog gains popularity, adversaries will also use it to refine their tradecraft, studying the exact commands and detection opportunities to better evade defenses. This is the eternal cat-and-mouse game of cybersecurity—but at least now defenders have the same operational knowledge as the attackers.

  • +1 The integration of AI with the catalog’s executable techniques will enable autonomous red teaming, where AI agents can plan, execute, and adapt attacks in real-time, dramatically improving the speed and scale of security validation.

  • -1 Organizations that fail to operationalize this knowledge will fall further behind. The gap between teams that actively use the catalog to validate their defenses and those that merely read about threats will widen, creating a new class of “security haves and have-1ots.”

▶️ Related Video (68% Match):

https://www.youtube.com/watch?v=1hsrM3eqt3g

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Aondona Cloudsecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: