DataDog
diff --git a/‎docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
+1,600 b/‎docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md
+1,600
diff --git a/‎docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
+1,858 b/‎docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md
+1,858
diff --git a/‎docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
+218 b/‎docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md
+218
@@ -96,3 +96,221 @@ The following may be use to tune the detection, or validate findings:
 - Attempts to call GetBatchSecretValue resulting in access denied errors
 - Principals calling GetBatchSecretValue in several regions in a short period of time
 
+
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
+
+The following CloudTrail events are generated when this technique is detonated[^1]:
+
+
+- `secretsmanager:BatchGetSecretValue`
+
+
+??? "View raw detonation logs"
+
+    ```json hl_lines="6 46 86 126 166"
+
+    [
+	   {
+	      "awsRegion": "eu-westwest-1r",
+	      "eventCategory": "Management",
+	      "eventID": "61619dbf-c10b-471e-9d78-8199a2f8233a",
+	      "eventName": "BatchGetSecretValue",
+	      "eventSource": "secretsmanager.amazonaws.com",
+	      "eventTime": "2024-07-31T12:29:17Z",
+	      "eventType": "AwsApiCall",
+	      "eventVersion": "1.09",
+	      "managementEvent": true,
+	      "readOnly": true,
+	      "recipientAccountId": "165109126369",
+	      "requestID": "d493c657-4004-4105-81f0-8f468ba0c9b3",
+	      "requestParameters": {
+	         "filters": [
+	            {
+	               "key": "tag-key",
+	               "values": [
+	                  "StratusRedTeam"
+	               ]
+	            }
+	         ]
+	      },
+	      "responseElements": null,
+	      "sourceIPAddress": "88.223.251.255",
+	      "tlsDetails": {
+	         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+	         "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+	         "tlsVersion": "TLSv1.3"
+	      },
+	      "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+	      "userIdentity": {
+	         "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+	         "accountId": "165109126369",
+	         "arn": "arn:aws:iam::165109126369:user/christophe",
+	         "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+	         "type": "IAMUser",
+	         "userName": "christophe"
+	      }
+	   },
+	   {
+	      "awsRegion": "eu-westwest-1r",
+	      "eventCategory": "Management",
+	      "eventID": "7c7a69f9-867d-4b5b-beee-7fe62ba34d5c",
+	      "eventName": "BatchGetSecretValue",
+	      "eventSource": "secretsmanager.amazonaws.com",
+	      "eventTime": "2024-07-31T12:29:17Z",
+	      "eventType": "AwsApiCall",
+	      "eventVersion": "1.09",
+	      "managementEvent": true,
+	      "readOnly": true,
+	      "recipientAccountId": "165109126369",
+	      "requestID": "6b6e2935-39ad-44d9-9a62-eeb63e95bd69",
+	      "requestParameters": {
+	         "filters": [
+	            {
+	               "key": "tag-key",
+	               "values": [
+	                  "StratusRedTeam"
+	               ]
+	            }
+	         ]
+	      },
+	      "responseElements": null,
+	      "sourceIPAddress": "88.223.251.255",
+	      "tlsDetails": {
+	         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+	         "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+	         "tlsVersion": "TLSv1.3"
+	      },
+	      "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+	      "userIdentity": {
+	         "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+	         "accountId": "165109126369",
+	         "arn": "arn:aws:iam::165109126369:user/christophe",
+	         "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+	         "type": "IAMUser",
+	         "userName": "christophe"
+	      }
+	   },
+	   {
+	      "awsRegion": "eu-westwest-1r",
+	      "eventCategory": "Management",
+	      "eventID": "cf4e352a-b575-4003-bd81-0c531f42e626",
+	      "eventName": "BatchGetSecretValue",
+	      "eventSource": "secretsmanager.amazonaws.com",
+	      "eventTime": "2024-07-31T12:29:17Z",
+	      "eventType": "AwsApiCall",
+	      "eventVersion": "1.09",
+	      "managementEvent": true,
+	      "readOnly": true,
+	      "recipientAccountId": "165109126369",
+	      "requestID": "cd93c41b-cb19-4a2c-9f35-6a1becee24ce",
+	      "requestParameters": {
+	         "filters": [
+	            {
+	               "key": "tag-key",
+	               "values": [
+	                  "StratusRedTeam"
+	               ]
+	            }
+	         ]
+	      },
+	      "responseElements": null,
+	      "sourceIPAddress": "88.223.251.255",
+	      "tlsDetails": {
+	         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+	         "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+	         "tlsVersion": "TLSv1.3"
+	      },
+	      "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+	      "userIdentity": {
+	         "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+	         "accountId": "165109126369",
+	         "arn": "arn:aws:iam::165109126369:user/christophe",
+	         "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+	         "type": "IAMUser",
+	         "userName": "christophe"
+	      }
+	   },
+	   {
+	      "awsRegion": "eu-westwest-1r",
+	      "eventCategory": "Management",
+	      "eventID": "bddee0fb-2541-430d-aad5-b1fdd5d419f1",
+	      "eventName": "BatchGetSecretValue",
+	      "eventSource": "secretsmanager.amazonaws.com",
+	      "eventTime": "2024-07-31T12:29:16Z",
+	      "eventType": "AwsApiCall",
+	      "eventVersion": "1.09",
+	      "managementEvent": true,
+	      "readOnly": true,
+	      "recipientAccountId": "165109126369",
+	      "requestID": "6bd1a472-24d2-46b5-abb6-83a9caf3e3ea",
+	      "requestParameters": {
+	         "filters": [
+	            {
+	               "key": "tag-key",
+	               "values": [
+	                  "StratusRedTeam"
+	               ]
+	            }
+	         ]
+	      },
+	      "responseElements": null,
+	      "sourceIPAddress": "88.223.251.255",
+	      "tlsDetails": {
+	         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+	         "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+	         "tlsVersion": "TLSv1.3"
+	      },
+	      "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+	      "userIdentity": {
+	         "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+	         "accountId": "165109126369",
+	         "arn": "arn:aws:iam::165109126369:user/christophe",
+	         "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+	         "type": "IAMUser",
+	         "userName": "christophe"
+	      }
+	   },
+	   {
+	      "awsRegion": "eu-westwest-1r",
+	      "eventCategory": "Management",
+	      "eventID": "cdc49957-9518-4ab3-a49e-b5a7c17903e6",
+	      "eventName": "BatchGetSecretValue",
+	      "eventSource": "secretsmanager.amazonaws.com",
+	      "eventTime": "2024-07-31T12:29:16Z",
+	      "eventType": "AwsApiCall",
+	      "eventVersion": "1.09",
+	      "managementEvent": true,
+	      "readOnly": true,
+	      "recipientAccountId": "165109126369",
+	      "requestID": "be2e79d0-ef1a-47f1-90b4-bafbbaa7404c",
+	      "requestParameters": {
+	         "filters": [
+	            {
+	               "key": "tag-key",
+	               "values": [
+	                  "StratusRedTeam"
+	               ]
+	            }
+	         ]
+	      },
+	      "responseElements": null,
+	      "sourceIPAddress": "88.223.251.255",
+	      "tlsDetails": {
+	         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+	         "clientProvidedHostHeader": "secretsmanager.eu-westwest-1r.amazonaws.com",
+	         "tlsVersion": "TLSv1.3"
+	      },
+	      "userAgent": "stratus-red-team_0a05817a-84d2-40d7-afde-8311715b1ee6",
+	      "userIdentity": {
+	         "accessKeyId": "AKIALK3Q0HKBKZJ2XBYP",
+	         "accountId": "165109126369",
+	         "arn": "arn:aws:iam::165109126369:user/christophe",
+	         "principalId": "AIDAIOBKTJ7YOYY9TKC4",
+	         "type": "IAMUser",
+	         "userName": "christophe"
+	      }
+	   }
+	]
+    ```
+
+[^1]: These logs have been gathered from a real detonation of this technique in a test environment using [Grimoire](https://github.com/DataDog/grimoire), and anonymized using [LogLicker](https://github.com/Permiso-io-tools/LogLicker).