Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1562 | Impair Defenses |
Monitor logs for API calls to disable logging. In AWS, monitor for: |
|
| .008 | Disable or Modify Cloud Logs |
Monitor logs for API calls to disable logging. In AWS, monitor for: |
||
An extracted list of cloud services (ex: AWS ECS ListServices)
An extracted list of cloud services (ex: AWS ECS ListServices)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1526 | Cloud Service Discovery |
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
|
| Enterprise | T1555 | Credentials from Password Stores |
Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as |
|
| .006 | Cloud Secrets Management Stores |
Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as |
||
| Enterprise | T1046 | Network Service Discovery |
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
|
Contextual data about a cloud service and activity around it such as name, type, or purpose/function
Contextual data about a cloud service and activity around it such as name, type, or purpose/function
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.[6] |
|
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1546 | Event Triggered Execution |
Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events. |
|
| Enterprise | T1562 | Impair Defenses |
Monitor changes made to cloud services for unexpected modifications to settings and/or data. |
|
| .008 | Disable or Modify Cloud Logs |
Monitor changes made to cloud services for unexpected modifications to settings and/or data |
||
| Enterprise | T1556 | Modify Authentication Process |
Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems. |
|
| .009 | Conditional Access Policies |
Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems. |
||
| Enterprise | T1578 | .005 | Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations |
Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.[6] |
| Enterprise | T1648 | Serverless Execution |
Monitor the creation and modification of serverless resources such as functions and workflows. |
|