1. Home
  2. Data Sources
  3. Cloud Service

Cloud Service

Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs[1][2]

ID: DS0025
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 14 October 2024
Version Permalink

Data Components

Cloud Service: Cloud Service Disable

Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)

Cloud Service: Cloud Service Disable

Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)

Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[3] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[4] In Azure, monitor for az monitor diagnostic-settings delete.[5] Additionally, a sudden loss of a log source may indicate that it has been disabled.
.008 Disable or Modify Cloud Logs

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging, UpdateTrail DeleteTrail.[3] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink and google.logging.v2.ConfigServiceV2.DeleteSink.[4] In Azure, monitor for az monitor diagnostic-settings update and az monitor diagnostic-settings delete.[5] Additionally, a sudden loss of a log source may indicate that it has been disabled.

Cloud Service: Cloud Service Enumeration

An extracted list of cloud services (ex: AWS ECS ListServices)

Cloud Service: Cloud Service Enumeration

An extracted list of cloud services (ex: AWS ECS ListServices)

Domain ID Name Detects
Enterprise T1526 Cloud Service Discovery

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.
Enterprise T1555 Credentials from Password Stores

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))
.006 Cloud Secrets Management Stores

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity")(eventName IN ("GetSecretValue", "gcloud secrets describe", "az key vault secret show"))| eval User=coalesce(userIdentity.arn, protoPayload.authenticationInfo.principalEmail, claims.user)| eval Service=coalesce(eventSource, protoPayload.serviceName, claims.aud)| eval AccountType=case( match(User, "root|admin|superuser"), "High-Privilege", match(User, "serviceaccount|svc|automation"), "Service-Account", true(), "Standard-User")| eval Platform=case( sourcetype=="aws:cloudtrail", "AWS", sourcetype=="gcp:logging", "GCP", sourcetype=="azure:activity", "Azure", true(), "Unknown")| where AccountType != "High-Privilege"

Analytic 2 - Cloud Service Enumeration

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity") | search (sourcetype="aws:cloudtrail" eventName="GetSecretValue" OR sourcetype="gcp:pubsub:message" methodName="google.iam.credentials.v1.*" OR sourcetype="azure:eventhub" operationName="Microsoft.KeyVault/vaults/secrets/read")
Enterprise T1046 Network Service Discovery

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

Cloud Service: Cloud Service Metadata

Contextual data about a cloud service and activity around it such as name, type, or purpose/function

Cloud Service: Cloud Service Metadata

Contextual data about a cloud service and activity around it such as name, type, or purpose/function

Domain ID Name Detects
Enterprise T1530 Data from Cloud Storage

Monitor M365 Audit logs for TeamsSessionStarted Operations against MicrosoftTeams workloads involving suspicious ClientIPs and suspect accounts (UserId).

Analytic 1 - Sessions initiated from unusual IP addresses, high volume of sessions from a single account, sessions at unusual times

"`index=""m365_audit_logs"" Operation=""TeamsSessionStarted""| stats count by UserId, ClientIP, CreationTime| where ClientIP!=""expected_ip"" OR UserId!=""expected_user""| sort by CreationTime"
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Monitor M365 Audit logs for FileAccessed operations against Sharepoint workloads. Scrutinize event metadata such as client IP address, ObjectId, UserId, User Agent, and Authentication type.

Analytic 1 - Unusual file access patterns by users, anomalous IP addresses, or suspicious User Agents

index="m365_audit_logs" Operation="FileAccessed"| stats count by UserId, ClientIP, ObjectId, UserAgent, AuthenticationType| where UserId!="expected_user" OR ClientIP!="expected_ip" OR UserAgent!="expected_user_agent" OR AuthenticationType!="expected_auth_type"
Enterprise T1114 .003 Email Collection: Email Forwarding Rule

Monitor M365 Audit logs for AlertTriggered operations with rule name "Creation of forwarding/redirect rule." or for New-InboxRule operations against Exchange Workloads. Look for anomalous modification properties such as actor user ID. An example event can show the creation of an email forwarding rule for a victim user

Analytic 1 - Unauthorized email forwarding rule creation activities

Note: To detect unauthorized email forwarding rule creation activities in M365 Audit logs.

`index="m365_audit_logs" Operation="AlertTriggered" RuleName="Creation of forwarding/redirect rule"| stats count by Actor, TargetUser| where Actor!="expected_actor" AND TargetUser!="expected_target_user"

Analytic 2 - Unauthorized email forwarding rule creation activities

`index="m365_audit_logs" Operation="New-InboxRule"| stats count by UserId, Parameters.ForwardTo| where UserId!="expected_user" AND Parameters.ForwardTo!="expected_forwarding_address"
Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.[6]

Cloud Service: Cloud Service Modification

Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)

Cloud Service: Cloud Service Modification

Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)

Domain ID Name Detects
Enterprise T1546 Event Triggered Execution

Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events.
Enterprise T1562 Impair Defenses

Monitor changes made to cloud services for unexpected modifications to settings and/or data.
.008 Disable or Modify Cloud Logs

Monitor changes made to cloud services for unexpected modifications to settings and/or data.

Analytic 1 - Operations performed by unexpected initiators, frequent modifications, changes to critical resources

index="azure_activity_logs" OperationName="Create or update resource diagnostic setting"| stats count by InitiatorName, ResourceID, Status| where Status!="Succeeded" OR InitiatorName!="expected_initiator"| sort by Time
Enterprise T1556 Modify Authentication Process

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.

Analytic 1 - Changes to access policies without corresponding change requests.

index=cloud_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("UpdateServicePrincipal", "UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy", "ModifyAuthenticationMethod") OR protoPayload.methodName IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update", "Set-AzureADApplicationProxyConnector", "Update-PassThroughAuthentication") OR (eventName="Sign-in" AND targetResourceType="applicationProxyConnector"))

.009 Conditional Access Policies

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.
Enterprise T1578 .005 Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. In Azure environments, monitor for changes to tenant-level settings such as enabled regions.[6]
Enterprise T1666 Modify Cloud Resource Hierarchy

Monitor for changes to resource groups, such as creating new resource groups or leaving top-level management groups. In Azure environments, monitor for changes to subscriptions.[6] In AWS environments, monitor for API calls such as CreateAccount or LeaveOrganization.[7]
Enterprise T1496 Resource Hijacking

Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled.
.004 Cloud Service Hijacking

Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled. In AWS environments, watch for calls to Bedrock APIs like PutUseCaseForModelAccess, PutFoundationModelEntitlement, and InvokeModel and SES APIs like UpdateAccountSendingEnabled.[8][9]
Enterprise T1648 Serverless Execution

Monitor for unusual Serverless function modifications, such as adding roles to a function that allow unauthorized access or execution.

Analytic 1 - Tracks actions related to creating or modifying serverless functions

index=cloud_logs sourcetype=aws:iam OR sourcetype=azure:activity OR sourcetype=gcp:iam| search action IN ("iam:PassRole", "iam:CreateFunction", "iam:AddPermission", "iam:UpdateFunctionConfiguration")

References

  1. Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.
  2. Microsoft. (n.d.). Azure products. Retrieved October 13, 2021.
  3. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  4. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  5. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  1. Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.
  2. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  3. Lacework Labs. (2024, June 6). Detecting AI resource-hijacking with Composite Alerts. Retrieved September 25, 2024.
  4. Nathan Eades. (2023, January 12). SES-pionage. Retrieved September 25, 2024.