Skip to content

feat(entries): Terraform Cloud / IaC platform — 3 companion-only pairs#18

Merged
Gerrrt merged 1 commit into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

feat(entries): Terraform Cloud / IaC platform — 3 companion-only pairs#18
Gerrrt merged 1 commit into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Round 12 — Terraform Cloud / IaC

Opens the IaC control-plane seam with detections over the Terraform Cloud audit trail (product: terraform, nested resource.type / resource.action). Three companion-only red↔blue pairs, distinct techniques:

Attack (red) Detection (blue) ATT&CK
tfc-agent-hijack — rogue agent pool routes plans/applies to attacker infra (captures cloud creds + state) tfc-agent-auditagent_pool create T1543
tfc-token-backdoor — mint an org/team API token for durable API + state access tfc-token-auditauthentication_token create T1098
tfc-var-injection — inject a workspace env variable to run code / exfil at apply tfc-var-auditvariable create/update T1072

Red side is the Terraform Cloud API (curl) + tfc-agent; blue side is audit-trail Splunk SPL. Resource types verified against HashiCorp's TFC audit-trails docs.

Verification

  • ./gen-views.sh --check — clean (companion-only)
  • Pairing graph — all 50 pairs back-reference bidirectionally (only smb-enum-nxc unpaired)
  • README corpus intro/table + platform list updated (50 paired + 1 unpaired); CHANGELOG [Unreleased] updated

🤖 Generated with Claude Code


Generated by Claude Code

…airs)

Detections over the Terraform Cloud audit trail (product: terraform, nested
resource.type / resource.action). Three companion-only red↔blue pairs:

- tfc-agent-hijack ↔ tfc-agent-audit: rogue agent pool routes plans/applies to
  attacker infra (captures cloud creds + state); detect agent_pool create (T1543).
- tfc-token-backdoor ↔ tfc-token-audit: mint an org/team API token for durable API
  + state access; detect authentication_token create (T1098).
- tfc-var-injection ↔ tfc-var-audit: inject a workspace env variable to run code /
  exfil at apply; detect variable create/update (T1072).

Red side is the Terraform Cloud API (curl) + tfc-agent; blue side is audit-trail
Splunk SPL. resource types verified against the TFC audit-trails docs. Corpus is
now 50 paired concepts + 1 unpaired recon entry.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Terraform Cloud / IaC “control-plane seam” to the companion corpus by introducing three new red↔blue entry pairs backed by Terraform Cloud audit-trail telemetry, and updates the top-level docs to reflect the expanded corpus.

Changes:

  • Added 3 new Terraform Cloud attack entries (red) and 3 matching audit-trail detections (blue).
  • Updated the README corpus summary/table to include Terraform Cloud and reflect the new paired-count (50).
  • Updated the CHANGELOG [Unreleased] section to document the new Terraform Cloud / IaC platform additions.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
README.md Updates corpus count and table to include three Terraform Cloud pairs/platform mention.
CHANGELOG.md Documents the new Terraform Cloud / IaC platform entries under [Unreleased].
entries/red/tfc-agent-hijack.md New red entry describing rogue Terraform Cloud agent pool abuse, paired to detection.
entries/red/tfc-token-backdoor.md New red entry describing org/team token creation for persistence, paired to detection.
entries/red/tfc-var-injection.md New red entry describing workspace env var injection to influence runs, paired to detection.
entries/blue/tfc-agent-audit.md New blue detection SPL for Terraform Cloud agent_pool creation events.
entries/blue/tfc-token-audit.md New blue detection SPL for Terraform Cloud authentication_token creation events.
entries/blue/tfc-var-audit.md New blue detection SPL for Terraform Cloud variable create/update events.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Gerrrt Gerrrt merged commit dad58d5 into main Jul 2, 2026
2 checks passed
@Gerrrt Gerrrt deleted the claude/dotfiles-round-7-github-b8nut0 branch July 2, 2026 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants