Fix dataset for SSM attack technique and move log location

docs/attack-techniques/AWS/aws.credential-access.ec2-get-password-data.md

@@ -42,9 +42,7 @@ stratus detonate aws.credential-access.ec2-get-password-data
 Identify principals making a large number of ec2:GetPasswordData calls, using CloudTrail's GetPasswordData event
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md

@@ -48,5 +48,3 @@ GuardDuty provides two findings to identify stolen EC2 instance credentials.
 See also: [Known detection bypasses](https://hackingthe.cloud/aws/avoiding-detection/steal-keys-undetected/).
 
 
-
-

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-batch-retrieve-secrets.md

@@ -97,9 +97,7 @@ The following may be use to tune the detection, or validate findings:
 - Principals calling GetBatchSecretValue in several regions in a short period of time
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.credential-access.secretsmanager-retrieve-secrets.md

@@ -45,17 +45,15 @@ The following may be use to tune the detection, or validate findings:
 - Attempts to call GetSecretValue resulting in access denied errors
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `secretsmanager:ListSecrets`
-
 - `secretsmanager:GetSecretValue`
 
+- `secretsmanager:ListSecrets`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md

@@ -49,9 +49,7 @@ The following may be use to tune the detection, or validate findings:
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md

@@ -42,9 +42,7 @@ GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLog
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md

@@ -42,9 +42,7 @@ Identify when event selectors of a CloudTrail trail are updated, through CloudTr
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md

@@ -44,5 +44,3 @@ The CloudTrail event <code>PutBucketLifecycle</code> and its attribute
 <code>requestParameters.LifecycleConfiguration.Rule.Expiration.Days</code> can be used.
 
 
-
-

docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md

@@ -42,9 +42,7 @@ GuardDuty also provides a dedicated finding type, [Stealth:IAMUser/CloudTrailLog
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs.md

@@ -39,9 +39,7 @@ Identify when a DNS logging configuration is deleted, through CloudTrail's <code
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md

@@ -43,5 +43,3 @@ Any attempts from a child account to leave its AWS Organization should be consid
 
 Use the CloudTrail event <code>LeaveOrganization</code>.
 
-
-

docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md

@@ -43,9 +43,7 @@ only when <code>DeleteFlowLogs</code> is not closely followed by <code>DeleteVpc
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 

docs/attack-techniques/AWS/aws.discovery.ec2-download-user-data.md

@@ -51,17 +51,15 @@ See:
 * [Associated Sigma rule](https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/aws_ec2_download_userdata.yml)
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]:
 
 
-- `sts:AssumeRole`
-
 - `ec2:DescribeInstanceAttribute`
 
+- `sts:AssumeRole`
+
 
 ??? "View raw detonation logs"
 

docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md

@@ -58,5 +58,3 @@ arn:aws:sts::012345678901:assumed-role/my-instance-role/i-0adc17a5acb70d9ae
 </code>
 
 
-
-

docs/attack-techniques/AWS/aws.discovery.ses-enumerate.md

@@ -49,5 +49,3 @@ Through CloudTrail's <code>GetAccountSendingEnabled</code>, <code>GetSendQuota</
 These can be considered suspicious especially when performed by a long-lived access key, or when the calls span across multiple regions.
 
 
-
-

docs/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances.md

@@ -42,9 +42,7 @@ Depending on your account limits you might also see <code>VcpuLimitExceeded</cod
 
 
 
-
-
-## Detonation logs <span class="smallcaps w3-badge w3-pink w3-round w3-text-sand" title="TODO">new</span>
+## Detonation logs <span class="smallcaps w3-badge w3-light-green w3-round w3-text-sand">new!</span>
 
 The following CloudTrail events are generated when this technique is detonated[^1]: