Initial construction of a cloud volume (ex: AWS create-volume)
Initial construction of a cloud volume (ex: AWS create-volume)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
Removal of a a cloud volume (ex: AWS delete-volume)
Removal of a a cloud volume (ex: AWS delete-volume)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1485 | Data Destruction |
Monitor for unexpected deletion of a cloud volume (ex: AWS |
|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1580 | Cloud Infrastructure Discovery |
Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Periodically baseline cloud block storage volumes to identify malicious modifications or additions. |
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1611 | Escape to Host |
Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations. |
|
Enterprise | T1578 | Modify Cloud Compute Infrastructure |
Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |