Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)
Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5] |
|
| .002 | Create Cloud Instance |
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.[5] Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent modifications
|
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Monitor system logs to review instance activities occurring across all cloud environments and regions. |
|
| Enterprise | T1204 | User Execution |
Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. |
|
| .003 | Malicious Image |
Monitor for newly constructed instances that may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. |
||
Removal of an instance (ex: instance.delete within GCP Audit Logs)
Removal of an instance (ex: instance.delete within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a virtual machine or database instance (ex: |
|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5] |
|
| .003 | Delete Cloud Instance |
The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.[3] [4] Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.[5] Analytic 1 - Operations performed by unexpected initiators, unusual resource names, frequent deletions
|
||
An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)
An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to cloud instance enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about an instance and activity around it such as name, type, or status
Contextual data about an instance and activity around it such as name, type, or status
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline instances to identify malicious modifications or additions. |
|
| .002 | Create Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| .003 | Delete Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| .004 | Revert Cloud Instance |
Periodically baseline instances to identify malicious modifications or additions. |
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Monitor and consider configuring alerting to notify of activity in normally unused regions or if the number of instances active in a region goes above a certain threshold. |
|
Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)
Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||
| Enterprise | T1204 | User Execution |
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
|
| .003 | Malicious Image |
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) |
||
Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)
Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| .004 | Revert Cloud Instance |
Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
||