Remote OpenClaw
Menu

Performing Cloud Forensics With Aws Cloudtrail

mukul975/Anthropic-Cybersecurity-Skills

Installation

openclaw install mukul975/performing-cloud-forensics-with-aws-cloudtrail

Summary

- When investigating suspected AWS account compromise - After detecting unauthorized API calls or credential exposure - During incident response involving cloud infrastructure - When analyzing S3 data exfiltration or IAM privilege escalation - For post-incident forensic timeline reconstruction

SKILL.md

Performing Cloud Forensics with AWS CloudTrail

When to Use

  • When investigating suspected AWS account compromise
  • After detecting unauthorized API calls or credential exposure
  • During incident response involving cloud infrastructure
  • When analyzing S3 data exfiltration or IAM privilege escalation
  • For post-incident forensic timeline reconstruction

Prerequisites

  • AWS account with CloudTrail enabled (management and data events)
  • IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution
  • boto3 Python SDK installed
  • CloudTrail logs delivered to S3 with optional Athena table configured
  • AWS CLI configured with appropriate credentials

Workflow

  1. Scope Investigation: Identify timeframe, affected accounts, and compromised credentials.
  2. Query CloudTrail: Use boto3 lookup_events or Athena to retrieve relevant API events.
  3. Filter by Indicators: Search for suspicious user agents, source IPs, and event names.
  4. Reconstruct Timeline: Build chronological sequence of attacker actions from API calls.
  5. Analyze Access Patterns: Identify data access, IAM changes, and resource modifications.
  6. Identify Persistence: Check for new IAM users, access keys, roles, or Lambda functions.
  7. Generate Report: Produce forensic timeline with findings and remediation steps.

Key Concepts

| Concept | Description | |---------|-------------| | LookupEvents | CloudTrail API to query management events (last 90 days) | | Athena Queries | SQL queries against CloudTrail logs in S3 for historical analysis | | User Agent Analysis | Identify tool signatures (AWS CLI, SDK, console, custom) | | AccessKeyId | Track activity by specific IAM access key | | EventName | AWS API action name (e.g., GetObject, CreateUser, AssumeRole) | | sourceIPAddress | Origin IP of API call for geolocation analysis |

Tools & Systems

| Tool | Purpose | |------|---------| | boto3 CloudTrail client | Programmatic CloudTrail event lookup | | AWS Athena | SQL-based analysis of CloudTrail S3 logs | | AWS CLI | Command-line CloudTrail queries | | jq | JSON processing for CloudTrail event parsing | | CloudTrail Lake | Advanced event data store with SQL query support |

Output Format

Forensic Report: AWS-IR-[DATE]-[SEQ]
Account: [AWS Account ID]
Timeframe: [Start] to [End]
Compromised Credentials: [Access Key IDs]
Suspicious Events: [Count]
Source IPs: [List of attacker IPs]
Actions Taken: [API calls by attacker]
Data Accessed: [S3 objects, secrets, etc.]
Persistence Mechanisms: [New users, keys, roles]

Recommended skills

Browse all →

A C2 Redirector

mukul975

0 installsInstall

AADInternals

mukul975

0 installsInstall

Abusing Dpapi For Credential Access

mukul975

0 installsInstall

Abusing Shadow Credentials For Privesc

mukul975

0 installsInstall

Achieving Cmmc Level 2 Compliance

mukul975

0 installsInstall

Acquiring Disk Image With Dd And Dcfldd

mukul975

0 installsInstall

Browse

Skills by category

Frontend250Git198Data154Testing120Design105Docs103Security96Automation87Backend76Devops37Productivity29Mcp23