cartography 0.116.1__py3-none-any.whl → 0.117.0__py3-none-any.whl

cartography/models/aws/ecr/image.py

@@ -52,11 +52,40 @@ class ECRImageHasLayerRel(CartographyRelSchema):
     properties: ECRImageHasLayerRelProperties = ECRImageHasLayerRelProperties()
 
 
+@dataclass(frozen=True)
+class ECRImageToParentImageRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    from_attestation: PropertyRef = PropertyRef("from_attestation")
+    parent_image_uri: PropertyRef = PropertyRef("parent_image_uri")
+    confidence: PropertyRef = PropertyRef("confidence")
+
+
+@dataclass(frozen=True)
+class ECRImageToParentImageRel(CartographyRelSchema):
+    """
+    Relationship from an ECRImage to its parent ECRImage (BUILT_FROM).
+    This relationship is created when provenance attestations explicitly specify the parent image.
+    """
+
+    target_node_label: str = "ECRImage"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"digest": PropertyRef("parent_image_digest")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "BUILT_FROM"
+    properties: ECRImageToParentImageRelProperties = (
+        ECRImageToParentImageRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class ECRImageSchema(CartographyNodeSchema):
     label: str = "ECRImage"
     properties: ECRImageNodeProperties = ECRImageNodeProperties()
     sub_resource_relationship: ECRImageToAWSAccountRel = ECRImageToAWSAccountRel()
     other_relationships: OtherRelationships = OtherRelationships(
-        [ECRImageHasLayerRel()],
+        [
+            ECRImageHasLayerRel(),
+            ECRImageToParentImageRel(),
+        ],
     )

cartography/models/azure/container_instance.py

@@ -0,0 +1,55 @@
+import logging
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+logger = logging.getLogger(__name__)
+
+
+# --- Node Definitions ---
+@dataclass(frozen=True)
+class AzureContainerInstanceProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    location: PropertyRef = PropertyRef("location")
+    type: PropertyRef = PropertyRef("type")
+    provisioning_state: PropertyRef = PropertyRef("provisioning_state")
+    ip_address: PropertyRef = PropertyRef("ip_address")
+    os_type: PropertyRef = PropertyRef("os_type")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+# --- Relationship Definitions ---
+@dataclass(frozen=True)
+class AzureContainerInstanceToSubscriptionRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AzureContainerInstanceToSubscriptionRel(CartographyRelSchema):
+    target_node_label: str = "AzureSubscription"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AZURE_SUBSCRIPTION_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AzureContainerInstanceToSubscriptionRelProperties = (
+        AzureContainerInstanceToSubscriptionRelProperties()
+    )
+
+
+# --- Main Schema ---
+@dataclass(frozen=True)
+class AzureContainerInstanceSchema(CartographyNodeSchema):
+    label: str = "AzureContainerInstance"
+    properties: AzureContainerInstanceProperties = AzureContainerInstanceProperties()
+    sub_resource_relationship: AzureContainerInstanceToSubscriptionRel = (
+        AzureContainerInstanceToSubscriptionRel()
+    )

cartography/models/azure/data_lake_filesystem.py

@@ -0,0 +1,51 @@
+import logging
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class AzureDataLakeFileSystemProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    public_access: PropertyRef = PropertyRef("public_access")
+    last_modified_time: PropertyRef = PropertyRef("last_modified_time")
+    has_immutability_policy: PropertyRef = PropertyRef("has_immutability_policy")
+    has_legal_hold: PropertyRef = PropertyRef("has_legal_hold")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AzureDataLakeFileSystemToStorageAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AzureDataLakeFileSystemToStorageAccountRel(CartographyRelSchema):
+    target_node_label: str = "AzureStorageAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("STORAGE_ACCOUNT_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "CONTAINS"
+    properties: AzureDataLakeFileSystemToStorageAccountRelProperties = (
+        AzureDataLakeFileSystemToStorageAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AzureDataLakeFileSystemSchema(CartographyNodeSchema):
+    label: str = "AzureDataLakeFileSystem"
+    properties: AzureDataLakeFileSystemProperties = AzureDataLakeFileSystemProperties()
+    sub_resource_relationship: AzureDataLakeFileSystemToStorageAccountRel = (
+        AzureDataLakeFileSystemToStorageAccountRel()
+    )

cartography/rules/cli.py

@@ -47,19 +47,21 @@ def complete_frameworks_with_all(incomplete: str) -> Generator[str, None, None]:
 
 def complete_requirements(
     ctx: typer.Context, incomplete: str
-) -> Generator[str, None, None]:
-    """Autocomplete requirement IDs based on selected framework."""
+) -> Generator[tuple[str, str], None, None]:
+    """Autocomplete requirement IDs with descriptions based on selected framework."""
     framework = ctx.params.get("framework")
     if not framework or framework not in FRAMEWORKS:
         return
 
     for req in FRAMEWORKS[framework].requirements:
         if req.id.lower().startswith(incomplete.lower()):
-            yield req.id
+            yield (req.id, req.name)
 
 
-def complete_facts(ctx: typer.Context, incomplete: str) -> Generator[str, None, None]:
-    """Autocomplete fact IDs based on selected framework and requirement."""
+def complete_facts(
+    ctx: typer.Context, incomplete: str
+) -> Generator[tuple[str, str], None, None]:
+    """Autocomplete fact IDs with descriptions based on selected framework and requirement."""
     framework = ctx.params.get("framework")
     requirement_id = ctx.params.get("requirement")
 
@@ -73,7 +75,7 @@ def complete_facts(ctx: typer.Context, incomplete: str) -> Generator[str, None,
         if req.id.lower() == requirement_id.lower():
             for fact in req.facts:
                 if fact.id.lower().startswith(incomplete.lower()):
-                    yield fact.id
+                    yield (fact.id, fact.name)
             break
 
 

cartography/rules/data/frameworks/mitre_attack/__init__.py

@@ -1,4 +1,7 @@
 # MITRE ATT&CK Framework
+from cartography.rules.data.frameworks.mitre_attack.requirements.t1098_account_manipulation import (
+    t1098,
+)
 from cartography.rules.data.frameworks.mitre_attack.requirements.t1190_exploit_public_facing_application import (
     t1190,
 )
@@ -9,6 +12,9 @@ mitre_attack_framework = Framework(
     name="MITRE ATT&CK",
     description="Comprehensive security assessment framework based on MITRE ATT&CK tactics and techniques",
     version="1.0",
-    requirements=(t1190,),
+    requirements=(
+        t1098,
+        t1190,
+    ),
     source_url="https://attack.mitre.org/",
 )

cartography/rules/data/frameworks/mitre_attack/requirements/t1098_account_manipulation/__init__.py

@@ -0,0 +1,317 @@
+from cartography.rules.spec.model import Fact
+from cartography.rules.spec.model import Module
+from cartography.rules.spec.model import Requirement
+
+# AWS
+_aws_account_manipulation_permissions = Fact(
+    id="aws_account_manipulation_permissions",
+    name="IAM Principals with Account Creation and Modification Permissions",
+    description=(
+        "AWS IAM users and roles with permissions to create, modify, or delete IAM "
+        "accounts and their associated policies."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        WITH a, principal, stmt,
+            // Return labels that are not the general "AWSPrincipal" label
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            // Define the list of IAM actions to match on
+            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] |
+                p] AS patterns
+        WITH a, principal, principal_type, stmt,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(prefix IN patterns WHERE action STARTS WITH prefix)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS matched_actions
+        // Return only statement actions that we matched on
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH p1 = (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND NOT principal.name = 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_trust_relationship_manipulation = Fact(
+    id="aws_trust_relationship_manipulation",
+    name="Roles with Cross-Account Trust Relationship Modification Capabilities",
+    description=(
+        "AWS IAM principals with permissions to modify role trust policies "
+        "(specifically AssumeRolePolicyDocuments)."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        OPTIONAL MATCH (groupmember:AWSUser)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        WITH a, principal, stmt,
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            ['iam:UpdateAssumeRolePolicy','iam:CreateRole'] AS patterns
+        WITH a, principal, principal_type, stmt,
+            [action IN stmt.action
+                WHERE ANY(p IN patterns WHERE action = p)
+                OR action = 'iam:*' OR action = '*'
+            ] AS matched_actions
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(distinct action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH p1 = (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_service_account_manipulation_via_ec2 = Fact(
+    id="aws_service_account_manipulation_via_ec2",
+    name="Service Resources with Account Manipulation Through Instance Profiles",
+    description=(
+        "AWS EC2 instances with attached IAM roles that can manipulate other AWS accounts. "
+        "Also indicates whether the instance is internet-exposed."
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
+        MATCH (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
+        MATCH (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        WITH a, ec2, role,
+            // Define the list of IAM actions to match on
+            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(p IN ['iam:Create','iam:Attach','iam:Put','iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS actions
+        // For the instances that are internet open, include the SG and rules
+        OPTIONAL MATCH (ec2{exposed_internet:True})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+        // Return only statement actions that we matched on
+        WHERE size(actions) > 0
+        UNWIND actions AS flat_action
+        WITH a, ec2, role, sg, ip,
+            collect(DISTINCT flat_action) AS actions
+        RETURN DISTINCT a.name AS account,
+            a.id as account_id,
+            ec2.instanceid AS instance_id,
+            ec2.exposed_internet AS internet_accessible,
+            ec2.publicipaddress as public_ip_address,
+            role.name AS role_name,
+            collect(actions) as action,
+            ip.fromport as from_port,
+            ip.toport as to_port
+        ORDER BY account, instance_id, internet_accessible, from_port
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
+        MATCH p1 = (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
+        MATCH p2 = (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
+        MATCH p3 = (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        WITH p, p1, p2, p3, ec2
+        // Include the SG and rules for the instances that are internet open
+        MATCH p4=(ec2{exposed_internet: true})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_service_account_manipulation_via_lambda = Fact(
+    id="aws_service_account_manipulation",
+    name="Service Resources with Account Manipulation Through Lambda Roles",
+    description=(
+        "AWS Lambda functions with IAM roles that can manipulate other AWS accounts."
+    ),
+    cypher_query="""
+        // Find Lambda functions with account manipulation capabilities
+        MATCH (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
+        MATCH (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
+        MATCH (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        WITH a, lambda, role, stmt,
+            // Define the list of IAM actions to match on
+            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
+            // Filter on the desired IAM actions
+            [action IN stmt.action
+                WHERE ANY(p IN ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS actions
+        // Return only statement actions that we matched on
+        WHERE size(actions) > 0
+        UNWIND actions AS flat_action
+        WITH a, lambda, role, stmt,
+            collect(DISTINCT flat_action) AS actions
+        RETURN DISTINCT a.name AS account,
+            a.id as account_id,
+            lambda.arn AS arn,
+            lambda.description AS description,
+            lambda.anonymous_access AS internet_accessible,
+            role.name AS role_name,
+            actions
+        ORDER BY account, arn, internet_accessible
+    """,
+    cypher_visual_query="""
+        MATCH p = (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
+        MATCH p1 = (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
+        MATCH p2 = (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE stmt.effect = 'Allow'
+        AND ANY(action IN stmt.action WHERE
+            action STARTS WITH 'iam:Create'
+            OR action STARTS WITH 'iam:Attach'
+            OR action STARTS WITH 'iam:Put'
+            OR action STARTS WITH 'iam:Update'
+            OR action STARTS WITH 'iam:Add'
+            OR action = 'iam:*'
+            OR action = '*'
+        )
+        RETURN *
+    """,
+    module=Module.AWS,
+)
+
+_aws_policy_manipulation_capabilities = Fact(
+    id="aws_policy_manipulation_capabilities",
+    name="Principals with IAM Policy Creation and Modification Capabilities",
+    description=(
+        "AWS IAM principals that can create, modify, or attach IAM policies to other principals. "
+    ),
+    cypher_query="""
+        MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+        AND NOT principal.name CONTAINS 'QuickSetup'
+        AND principal.name <> 'OrganizationAccountAccessRole'
+        AND stmt.effect = 'Allow'
+
+        WITH a, principal, stmt,
+            // Return labels that are not the general "AWSPrincipal" label
+            [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
+            // Define the list of IAM actions to match on
+            [p IN
+            ['iam:CreatePolicy', 'iam:CreatePolicyVersion', 'iam:AttachUserPolicy', 'iam:AttachRolePolicy', 'iam:AttachGroupPolicy',
+            'iam:AttachRolePolicy', 'iam:AttachGroupPolicy', 'iam:DetachUserPolicy', 'iam:DetachRolePolicy', 'iam:DetachGroupPolicy',
+            'iam:PutUserPolicy', 'iam:PutRolePolicy', 'iam:PutGroupPolicy'] |
+                p] AS patterns
+
+        // Return only statement actions that we matched on
+        WITH a, principal, principal_type, stmt,
+            [action IN stmt.action
+                WHERE ANY(p IN patterns WHERE action = p)
+                OR action = 'iam:*' OR action = '*'
+            ] AS matched_actions
+        WHERE size(matched_actions) > 0
+        UNWIND matched_actions AS action
+        RETURN DISTINCT a.name AS account,
+            principal.name AS principal_name,
+            principal.arn AS principal_arn,
+            principal_type,
+            collect(action) as action,
+            stmt.resource AS resource
+        ORDER BY account, principal_name
+    """,
+    cypher_visual_query="""
+    MATCH p1=(a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
+    MATCH p2=(principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+    WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
+    AND NOT principal.name CONTAINS 'QuickSetup'
+    AND principal.name <> 'OrganizationAccountAccessRole'
+    AND stmt.effect = 'Allow'
+    AND ANY(action IN stmt.action WHERE
+        action CONTAINS 'iam:CreatePolicy' OR action CONTAINS 'iam:CreatePolicyVersion'
+        OR action CONTAINS 'iam:AttachUserPolicy' OR action CONTAINS 'iam:AttachRolePolicy'
+        OR action CONTAINS 'iam:AttachGroupPolicy' OR action CONTAINS 'iam:DetachUserPolicy'
+        OR action CONTAINS 'iam:DetachRolePolicy' OR action CONTAINS 'iam:DetachGroupPolicy'
+        OR action CONTAINS 'iam:PutUserPolicy' OR action CONTAINS 'iam:PutRolePolicy'
+        OR action CONTAINS 'iam:PutGroupPolicy' OR action = 'iam:*' OR action = '*'
+    )
+    RETURN *
+    """,
+    module=Module.AWS,
+)
+
+
+t1098 = Requirement(
+    id="t1098",
+    name="Account Manipulation",
+    description=(
+        "Adversaries may manipulate accounts to maintain or elevate access to victim systems. "
+        "Activity that subverts security policies. For example in cloud this is "
+        "updating IAM policies or adding new global admins."
+    ),
+    target_assets="Identities that can manipulate other identities",
+    facts=(
+        # AWS
+        _aws_account_manipulation_permissions,
+        _aws_trust_relationship_manipulation,
+        _aws_service_account_manipulation_via_ec2,
+        _aws_service_account_manipulation_via_lambda,
+        _aws_policy_manipulation_capabilities,
+    ),
+    requirement_url="https://attack.mitre.org/techniques/T1098/",
+    attributes={
+        "tactic": "persistence,privilege_escalation",
+        "technique_id": "T1098",
+        "services": [
+            "iam",
+            "sts",
+            "ec2",
+            "lambda",
+        ],
+        "providers": ["AWS"],
+    },
+)

cartography/rules/data/frameworks/mitre_attack/requirements/t1190_exploit_public_facing_application/__init__.py

@@ -116,6 +116,7 @@ t1190 = Requirement(
     id="t1190",
     name="Exploit Public-Facing Application",
     description="Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.",
+    target_assets="Compute and storage resources that are accessible from the public internet",
     facts=(
         # AWS
         _aws_ec2_instance_internet_exposed,

cartography/rules/spec/model.py

@@ -58,9 +58,21 @@ class Requirement:
     """
 
     id: str
+    """A unique identifier for the requirement, e.g. T1098 in MITRE ATT&CK."""
     name: str
+    """A brief name for the requirement, e.g. "Account Manipulation"."""
     description: str
+    """A brief description of the requirement."""
+    target_assets: str
+    """
+    A short description of the assets that this requirement is related to. E.g. "Cloud
+    identities that can manipulate other identities". This field is used as
+    documentation: `description` tells us information about the requirement;
+    `target_assets` tells us what specific objects in cartography we will search for to
+    find Facts related to the requirement.
+    """
     facts: tuple[Fact, ...]
+    """The facts that are related to this requirement."""
     attributes: dict[str, Any] | None = None
     """
     Metadata attributes for the requirement. Example:
@@ -74,6 +86,7 @@ class Requirement:
     ```
     """
     requirement_url: str | None = None
+    """A URL reference to the requirement in the framework, e.g. https://attack.mitre.org/techniques/T1098/"""
 
 
 @dataclass(frozen=True)

{cartography-0.116.1.dist-info → cartography-0.117.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cartography
-Version: 0.116.1
+Version: 0.117.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Maintainer: Cartography Contributors
 License-Expression: Apache-2.0
@@ -42,6 +42,7 @@ Requires-Dist: python-digitalocean>=1.16.0
 Requires-Dist: adal>=1.2.4
 Requires-Dist: azure-cli-core>=2.26.0
 Requires-Dist: azure-mgmt-compute>=5.0.0
+Requires-Dist: azure-mgmt-containerinstance>=10.0.0
 Requires-Dist: azure-mgmt-resource>=10.2.0
 Requires-Dist: azure-mgmt-cosmosdb>=6.0.0
 Requires-Dist: azure-mgmt-web>=7.0.0
@@ -102,7 +103,7 @@ You can learn more about the story behind Cartography in our [presentation at BS
 - [Keycloak](https://cartography-cncf.github.io/cartography/modules/keycloak/index.html) - Realms, Users, Groups, Roles, Scopes, Clients, IdentityProviders, Authentication Flows, Authentication Executions, Organizations, Organization Domains
 - [Kubernetes](https://cartography-cncf.github.io/cartography/modules/kubernetes/index.html) - Cluster, Namespace, Service, Pod, Container, ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding, OIDCProvider
 - [Lastpass](https://cartography-cncf.github.io/cartography/modules/lastpass/index.html) - users
-- [Microsoft Azure](https://cartography-cncf.github.io/cartography/modules/azure/index.html) - App Service, CosmosDB, Functions, Logic Apps, Resource Group, SQL, Storage, Virtual Machine
+- [Microsoft Azure](https://cartography-cncf.github.io/cartography/modules/azure/index.html) - App Service, Container Instance, CosmosDB, Functions, Logic Apps, Resource Group, SQL, Storage, Virtual Machine
 - [Microsoft Entra ID](https://cartography-cncf.github.io/cartography/modules/entra/index.html) -  Users, Groups, Applications, OUs, App Roles, federation to AWS Identity Center
 - [NIST CVE](https://cartography-cncf.github.io/cartography/modules/cve/index.html) - Common Vulnerabilities and Exposures (CVE) data from NIST database
 - [Okta](https://cartography-cncf.github.io/cartography/modules/okta/index.html) - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs, federation to AWS roles, federation to AWS Identity Center