DataDog · udgover · Jun 4, 2025 · Jun 5, 2025 · Jun 23, 2025 · Jun 23, 2025
diff --git a/...ttack-techniques/AWS/aws.discovery.bedrock-enumerate-models-multiple-regions.md b/...ttack-techniques/AWS/aws.discovery.bedrock-enumerate-models-multiple-regions.md
@@ -0,0 +1,52 @@
+---
+title: Enumerate Bedrock models in multiple regions
+---
+
+# Enumerate Bedrock models in multiple regions
+
+
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: AWS
+
+## Mappings
+
+- MITRE ATT&CK
+    - Discovery
+
+
+- Threat Technique Catalog for AWS:
+
+    - [Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse](https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html) (T1496.A007)
+
+
+
+## Description
+
+
+Simulates an attacker enumerating Bedrock models in multiple regions. Attackers frequently use this enumeration technique after having compromised an access key, to use it to answer their prompts.
+
+<span style="font-variant: small-caps;">Warm-up</span>: None.
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Perform <code>bedrock:InvokeModel</code> with <code>MaxTokensToSample = -1</code> in several regions to check if the Bedrock model <code>anthropic.claude-3-5-sonnet-20241022-v2:0</code> is available for use.
+
+References:
+
+- https://permiso.io/blog/exploiting-hosted-models
+- https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.discovery.bedrock-enumerate-models-multiple-regions
+```
+## Detection
+
+
+Through CloudTrail's <code>InvokeModel</code> events. 
+These can be considered suspicious especially when performed by a long-lived access key, or when the calls span across multiple regions.
+
+
diff --git a/docs/attack-techniques/AWS/aws.impact.bedrock-invoke-model.md b/docs/attack-techniques/AWS/aws.impact.bedrock-invoke-model.md
@@ -14,6 +14,10 @@ Platform: AWS
 - MITRE ATT&CK
     - Impact
 
+- Threat Technique Catalog for AWS:
+
+    - [Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse](https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html) (T1496.A007)
+
 
 
 ## Description

diff --git a/docs/attack-techniques/AWS/index.md b/docs/attack-techniques/AWS/index.md
@@ -92,6 +92,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 ## Discovery
 
+  - [Enumerate Bedrock models in multiple regions](./aws.discovery.bedrock-enumerate-models-multiple-regions.md)
+
   - [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md)
 
   - [Download EC2 Instance User Data](./aws.discovery.ec2-download-user-data.md)

diff --git a/docs/attack-techniques/list.md b/docs/attack-techniques/list.md
@@ -21,6 +21,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Delete DNS query logs](./AWS/aws.defense-evasion.dns-delete-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Enumerate Bedrock models in multiple regions](./AWS/aws.discovery.bedrock-enumerate-models-multiple-regions.md) | [AWS](./AWS/index.md) | Discovery |
 | [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |
 | [Download EC2 Instance User Data](./AWS/aws.discovery.ec2-download-user-data.md) | [AWS](./AWS/index.md) | Discovery |
 | [Enumerate SES](./AWS/aws.discovery.ses-enumerate.md) | [AWS](./AWS/index.md) | Discovery |

diff --git a/docs/attack-techniques/mitre-attack-coverage-matrices.md b/docs/attack-techniques/mitre-attack-coverage-matrices.md
@@ -28,10 +28,10 @@ This provides coverage matrices of MITRE ATT&CK tactics and techniques currently
 <div class="table-container"><table>
 <thead><tr><th>Initial Access</th><th>Execution</th><th>Persistence</th><th>Privilege Escalation</th><th>Defense Evasion</th><th>Credential Access</th><th>Discovery</th><th>Lateral Movement</th><th>Exfiltration</th><th>Impact</th></tr></thead>
 <tbody>
-<tr><td><a href="../AWS/aws.initial-access.console-login-without-mfa">Console Login without MFA</a></td><td><a href="../AWS/aws.execution.ec2-launch-unusual-instances">Launch Unusual EC2 instances</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-role">Backdoor an IAM Role</a></td><td><a href="../AWS/aws.execution.ec2-user-data">Execute Commands on EC2 Instance via User Data</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-delete">Delete CloudTrail Trail</a></td><td><a href="../AWS/aws.credential-access.ec2-get-password-data">Retrieve EC2 Password Data</a></td><td><a href="../AWS/aws.discovery.ec2-enumerate-from-instance">Execute Discovery Commands on an EC2 Instance</a></td><td><a href="../AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key">Usage of EC2 Serial Console to push SSH public key</a></td><td><a href="../AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress">Open Ingress Port 22 on a Security Group</a></td><td><a href="../AWS/aws.impact.bedrock-invoke-model">Invoke Bedrock Model</a></td></tr>
-<tr><td></td><td><a href="../AWS/aws.execution.ec2-user-data">Execute Commands on EC2 Instance via User Data</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-user">Create an Access Key on an IAM User</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-user">Create an Access Key on an IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-event-selectors">Disable CloudTrail Logging Through Event Selectors</a></td><td><a href="../AWS/aws.credential-access.ec2-steal-instance-credentials">Steal EC2 Instance Credentials</a></td><td><a href="../AWS/aws.discovery.ec2-download-user-data">Download EC2 Instance User Data</a></td><td><a href="../AWS/aws.lateral-movement.ec2-instance-connect">Usage of EC2 Instance Connect on multiple instances</a></td><td><a href="../AWS/aws.exfiltration.ec2-share-ami">Exfiltrate an AMI by Sharing It</a></td><td><a href="../AWS/aws.impact.s3-ransomware-batch-deletion">S3 Ransomware through batch file deletion</a></td></tr>
-<tr><td></td><td><a href="../AWS/aws.execution.ssm-send-command">Usage of ssm:SendCommand on multiple instances</a></td><td><a href="../AWS/aws.persistence.iam-create-admin-user">Create an administrative IAM User</a></td><td><a href="../AWS/aws.persistence.iam-create-admin-user">Create an administrative IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-lifecycle-rule">CloudTrail Logs Impairment Through S3 Lifecycle Rule</a></td><td><a href="../AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets">Retrieve a High Number of Secrets Manager secrets (Batch)</a></td><td><a href="../AWS/aws.discovery.ses-enumerate">Enumerate SES</a></td><td></td><td><a href="../AWS/aws.exfiltration.ec2-share-ebs-snapshot">Exfiltrate EBS Snapshot by Sharing It</a></td><td><a href="../AWS/aws.impact.s3-ransomware-client-side-encryption">S3 Ransomware through client-side encryption</a></td></tr>
-<tr><td></td><td><a href="../AWS/aws.execution.ssm-start-session">Usage of ssm:StartSession on multiple instances</a></td><td><a href="../AWS/aws.persistence.iam-create-backdoor-role">Create a backdoored IAM Role</a></td><td><a href="../AWS/aws.persistence.iam-create-user-login-profile">Create a Login Profile on an IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-stop">Stop CloudTrail Trail</a></td><td><a href="../AWS/aws.credential-access.secretsmanager-retrieve-secrets">Retrieve a High Number of Secrets Manager secrets</a></td><td></td><td></td><td><a href="../AWS/aws.exfiltration.rds-share-snapshot">Exfiltrate RDS Snapshot by Sharing</a></td><td><a href="../AWS/aws.impact.s3-ransomware-individual-deletion">S3 Ransomware through individual file deletion</a></td></tr>
+<tr><td><a href="../AWS/aws.initial-access.console-login-without-mfa">Console Login without MFA</a></td><td><a href="../AWS/aws.execution.ec2-launch-unusual-instances">Launch Unusual EC2 instances</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-role">Backdoor an IAM Role</a></td><td><a href="../AWS/aws.execution.ec2-user-data">Execute Commands on EC2 Instance via User Data</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-delete">Delete CloudTrail Trail</a></td><td><a href="../AWS/aws.credential-access.ec2-get-password-data">Retrieve EC2 Password Data</a></td><td><a href="../AWS/aws.discovery.bedrock-enumerate-models-multiple-regions">Enumerate Bedrock models in multiple regions</a></td><td><a href="../AWS/aws.lateral-movement.ec2-serial-console-send-ssh-public-key">Usage of EC2 Serial Console to push SSH public key</a></td><td><a href="../AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress">Open Ingress Port 22 on a Security Group</a></td><td><a href="../AWS/aws.impact.bedrock-invoke-model">Invoke Bedrock Model</a></td></tr>
+<tr><td></td><td><a href="../AWS/aws.execution.ec2-user-data">Execute Commands on EC2 Instance via User Data</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-user">Create an Access Key on an IAM User</a></td><td><a href="../AWS/aws.persistence.iam-backdoor-user">Create an Access Key on an IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-event-selectors">Disable CloudTrail Logging Through Event Selectors</a></td><td><a href="../AWS/aws.credential-access.ec2-steal-instance-credentials">Steal EC2 Instance Credentials</a></td><td><a href="../AWS/aws.discovery.ec2-enumerate-from-instance">Execute Discovery Commands on an EC2 Instance</a></td><td><a href="../AWS/aws.lateral-movement.ec2-instance-connect">Usage of EC2 Instance Connect on multiple instances</a></td><td><a href="../AWS/aws.exfiltration.ec2-share-ami">Exfiltrate an AMI by Sharing It</a></td><td><a href="../AWS/aws.impact.s3-ransomware-batch-deletion">S3 Ransomware through batch file deletion</a></td></tr>
+<tr><td></td><td><a href="../AWS/aws.execution.ssm-send-command">Usage of ssm:SendCommand on multiple instances</a></td><td><a href="../AWS/aws.persistence.iam-create-admin-user">Create an administrative IAM User</a></td><td><a href="../AWS/aws.persistence.iam-create-admin-user">Create an administrative IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-lifecycle-rule">CloudTrail Logs Impairment Through S3 Lifecycle Rule</a></td><td><a href="../AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets">Retrieve a High Number of Secrets Manager secrets (Batch)</a></td><td><a href="../AWS/aws.discovery.ec2-download-user-data">Download EC2 Instance User Data</a></td><td></td><td><a href="../AWS/aws.exfiltration.ec2-share-ebs-snapshot">Exfiltrate EBS Snapshot by Sharing It</a></td><td><a href="../AWS/aws.impact.s3-ransomware-client-side-encryption">S3 Ransomware through client-side encryption</a></td></tr>
+<tr><td></td><td><a href="../AWS/aws.execution.ssm-start-session">Usage of ssm:StartSession on multiple instances</a></td><td><a href="../AWS/aws.persistence.iam-create-backdoor-role">Create a backdoored IAM Role</a></td><td><a href="../AWS/aws.persistence.iam-create-user-login-profile">Create a Login Profile on an IAM User</a></td><td><a href="../AWS/aws.defense-evasion.cloudtrail-stop">Stop CloudTrail Trail</a></td><td><a href="../AWS/aws.credential-access.secretsmanager-retrieve-secrets">Retrieve a High Number of Secrets Manager secrets</a></td><td><a href="../AWS/aws.discovery.ses-enumerate">Enumerate SES</a></td><td></td><td><a href="../AWS/aws.exfiltration.rds-share-snapshot">Exfiltrate RDS Snapshot by Sharing</a></td><td><a href="../AWS/aws.impact.s3-ransomware-individual-deletion">S3 Ransomware through individual file deletion</a></td></tr>
 <tr><td></td><td></td><td><a href="../AWS/aws.persistence.iam-create-user-login-profile">Create a Login Profile on an IAM User</a></td><td><a href="../AWS/aws.persistence.lambda-layer-extension">Add a Malicious Lambda Extension</a></td><td><a href="../AWS/aws.defense-evasion.dns-delete-logs">Delete DNS query logs</a></td><td><a href="../AWS/aws.credential-access.ssm-retrieve-securestring-parameters">Retrieve And Decrypt SSM Parameters</a></td><td></td><td></td><td><a href="../AWS/aws.exfiltration.s3-backdoor-bucket-policy">Backdoor an S3 Bucket via its Bucket Policy</a></td><td></td></tr>
 <tr><td></td><td></td><td><a href="../AWS/aws.persistence.lambda-backdoor-function">Backdoor Lambda Function Through Resource-Based Policy</a></td><td><a href="../AWS/aws.persistence.rolesanywhere-create-trust-anchor">Create an IAM Roles Anywhere trust anchor</a></td><td><a href="../AWS/aws.defense-evasion.organizations-leave">Attempt to Leave the AWS Organization</a></td><td></td><td></td><td></td><td></td><td></td></tr>
 <tr><td></td><td></td><td><a href="../AWS/aws.persistence.lambda-layer-extension">Add a Malicious Lambda Extension</a></td><td><a href="../AWS/aws.privilege-escalation.iam-update-user-login-profile">Change IAM user password</a></td><td><a href="../AWS/aws.defense-evasion.vpc-remove-flow-logs">Remove VPC Flow Logs</a></td><td></td><td></td><td></td><td></td><td></td></tr>

diff --git a/docs/index.yaml b/docs/index.yaml
@@ -122,6 +122,19 @@ AWS:
           platform: AWS
           isIdempotent: false
     Discovery:
+        - id: aws.discovery.bedrock-enumerate-models-multiple-regions
+          name: Enumerate Bedrock models in multiple regions
+          isSlow: false
+          mitreAttackTactics:
+            - Discovery
+          frameworkmappings:
+            - framework: Threat Technique Catalog for AWS
+              techniques:
+                - name: 'Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse'
+                  id: T1496.A007
+                  url: https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html
+          platform: AWS
+          isIdempotent: true
         - id: aws.discovery.ec2-enumerate-from-instance
           name: Execute Discovery Commands on an EC2 Instance
           isSlow: true
@@ -242,6 +255,12 @@ AWS:
           isSlow: false
           mitreAttackTactics:
             - Impact
+          frameworkmappings:
+            - framework: Threat Technique Catalog for AWS
+              techniques:
+                - name: 'Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse'
+                  id: T1496.A007
+                  url: https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html
           platform: AWS
           isIdempotent: true
         - id: aws.impact.s3-ransomware-batch-deletion

diff --git a/v2/internal/attacktechniques/aws/discovery/bedrock-enumerate-models-multiple-regions/main.go b/v2/internal/attacktechniques/aws/discovery/bedrock-enumerate-models-multiple-regions/main.go
@@ -0,0 +1,105 @@
+package aws
+
+import (
+	"context"
+	_ "embed"
+	"encoding/json"
+	"fmt"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/bedrockruntime"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus"
+	"github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack"
+	"log"
+	"strings"
+)
+
+const MODEL = "anthropic.claude-3-5-sonnet-20241022-v2:0"
+
+func init() {
+	stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{
+		ID:           "aws.discovery.bedrock-enumerate-models-multiple-regions",
+		FriendlyName: "Enumerate Bedrock models in multiple regions",
+		Description: `
+Simulates an attacker enumerating Bedrock models in multiple regions. Attackers frequently use this enumeration technique after having compromised an access key, to use it to answer their prompts.
+
+Warm-up: None.
+
+Detonation: 
+
+- Perform <code>bedrock:InvokeModel</code> with <code>MaxTokensToSample = -1</code> in several regions to check if the Bedrock model <code>` + MODEL + `</code> is available for use.
+
+References:
+
+- https://permiso.io/blog/exploiting-hosted-models
+- https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/
+`,
+		Detection: `
+Through CloudTrail's <code>InvokeModel</code> events. 
+These can be considered suspicious especially when performed by a long-lived access key, or when the calls span across multiple regions.
+`,
+		Platform:           stratus.AWS,
+		IsIdempotent:       true,
+		MitreAttackTactics: []mitreattack.Tactic{mitreattack.Discovery},
+		FrameworkMappings: []stratus.FrameworkMappings{
+			{
+				Framework: stratus.ThreatTechniqueCatalogAWS,
+				Techniques: []stratus.TechniqueMapping{
+					{
+						Name: "Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse",
+						ID:   "T1496.A007",
+						URL:  "https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html",
+					},
+				},
+			},
+		},
+
+		Detonate: detonate,
+	})
+}
+
+type minimalPromptBody struct {
+	Prompt            string `json:"prompt"`
+	MaxTokensToSample int    `json:"max_tokens_to_sample"`
+}
+
+func detonate(_ map[string]string, providers stratus.CloudProviders) error {
+	awsConnection := providers.AWS().GetConnection()
+	regions := []string{"us-east-1", "us-west-2", "eu-west-2", "eu-west-3", "ap-northeast-2", "ap-southeast-2"}
+
+	log.Printf("Attempting to invoke Bedrock model %s in regions: %v", MODEL, regions)
+
+	requestBody := minimalPromptBody{
+		Prompt:            "",
+		MaxTokensToSample: -1,
+	}
+	bodyBytes, err := json.Marshal(requestBody)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request body: %w", err)
+	}
+
+	for _, region := range regions {
+		regionalConfig := awsConnection.Copy()
+		regionalConfig.Region = region
+		bedrockClient := bedrockruntime.NewFromConfig(regionalConfig)
+
+		params := &bedrockruntime.InvokeModelInput{
+			ModelId:     aws.String(MODEL),
+			Body:        bodyBytes,
+			ContentType: aws.String("application/json"),
+			Accept:      aws.String("*/*"),
+		}
+
+		_, invokeErr := bedrockClient.InvokeModel(context.Background(), params)
+		if invokeErr == nil {
+			return fmt.Errorf("expected an error when invoking model %s in %s, but got none", MODEL, region)
+		}
+		if strings.Contains(invokeErr.Error(), "AccessDeniedException") {
+			log.Printf("%s: Got an AccessDeniedException indicating that the model isn't available or the current user doesn't have permissions to invoke models", region)
+		} else if strings.Contains(invokeErr.Error(), "ValidationException") && strings.Contains(invokeErr.Error(), "StatusCode: 400") {
+			log.Printf("%s: Got a ValidationException indicating that the model isn't available in this region", region)
+		} else {
+			return fmt.Errorf("failed to invoke model %s in %s with an unexpected error: %w", MODEL, region, invokeErr)
+		}
+	}
+	return nil
+}
diff --git a/v2/internal/attacktechniques/aws/impact/bedrock-invoke-model/main.go b/v2/internal/attacktechniques/aws/impact/bedrock-invoke-model/main.go
@@ -88,7 +88,19 @@ References:
 		Platform:           stratus.AWS,
 		IsIdempotent:       true,
 		MitreAttackTactics: []mitreattack.Tactic{mitreattack.Impact},
-		Detonate:           detonate,
+		FrameworkMappings: []stratus.FrameworkMappings{
+			{
+				Framework: stratus.ThreatTechniqueCatalogAWS,
+				Techniques: []stratus.TechniqueMapping{
+					{
+						Name: "Resource Hijacking: Cloud Service Hijacking - Bedrock LLM Abuse",
+						ID:   "T1496.A007",
+						URL:  "https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1496.A007.html",
+					},
+				},
+			},
+		},
+		Detonate: detonate,
 	})
 }
 

diff --git a/v2/internal/attacktechniques/main.go b/v2/internal/attacktechniques/main.go
@@ -16,6 +16,7 @@ import (
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/ses-enumerate"
+	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/discovery/bedrock-enumerate-models-multiple-regions"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/execution/ec2-user-data"
 	_ "github.com/datadog/stratus-red-team/v2/internal/attacktechniques/aws/execution/ssm-send-command"