The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
Data Collection Measures:
CreateVolume
– Logs the creation of new Amazon Elastic Block Store (EBS) volumes.RunInstances
– Can be correlated to detect automatic volume provisioning.Microsoft.Compute/disks/write
– Captures creation of new managed/unmanaged disks.Microsoft.Storage/storageAccounts/write
– Detects creation of new Azure Blob Storage volumes.compute.disks.insert
– Tracks new persistent disk creation.compute.instances.attachDisk
– Logs attachment of a volume to a running VM.volume.create
– Captures new storage volume provisioning.cinder.volume.create
– Logs OpenStack Cinder block storage creation./var/log/syslog
& /var/log/messages
– Detects new mount points or attached storage.dmesg | grep "new disk"
– Identifies kernel messages for volume attachment.mkfs
(filesystem creation) for new volume provisioning.The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
Data Collection Measures:
CreateVolume
– Logs the creation of new Amazon Elastic Block Store (EBS) volumes.RunInstances
– Can be correlated to detect automatic volume provisioning.Microsoft.Compute/disks/write
– Captures creation of new managed/unmanaged disks.Microsoft.Storage/storageAccounts/write
– Detects creation of new Azure Blob Storage volumes.compute.disks.insert
– Tracks new persistent disk creation.compute.instances.attachDisk
– Logs attachment of a volume to a running VM.volume.create
– Captures new storage volume provisioning.cinder.volume.create
– Logs OpenStack Cinder block storage creation./var/log/syslog
& /var/log/messages
– Detects new mount points or attached storage.dmesg | grep "new disk"
– Identifies kernel messages for volume attachment.mkfs
(filesystem creation) for new volume provisioning.Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.
Data Collection Measures:
eventName: DeleteVolume
(tracks volume deletions)operationName: Microsoft.Compute/disks/delete
status: Success | Failure
(flag unauthorized delete attempts)protoPayload.methodName: "v1.compute.disks.delete"
authenticationInfo.principalEmail
(identifies the user deleting the volume)/var/log/syslog
or /var/log/messages
for volume detach/deletion actionsThe removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.
Data Collection Measures:
eventName: DeleteVolume
(tracks volume deletions)operationName: Microsoft.Compute/disks/delete
status: Success | Failure
(flag unauthorized delete attempts)protoPayload.methodName: "v1.compute.disks.delete"
authenticationInfo.principalEmail
(identifies the user deleting the volume)/var/log/syslog
or /var/log/messages
for volume detach/deletion actionsDomain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a cloud volume (ex: AWS |
|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline cloud block storage volumes to identify malicious modifications or additions. |
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1611 | Escape to Host |
Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations. |
|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |