T1526 |
PurposeAn adversary may attempt to enumerate the cloud services running on a system after gaining access, which can be platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Azure tools and APIs (Azure AD Graph API and Azure Resource Manager API) can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity. Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services. Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services. | Included alertsSecOpsGCPGCSBucketEnumerated SecOpsGCPKubernetesClusterPodScanDetection SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions
| Prerequisites |
T1531 |
PurposeAdversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users (delete, lock or manipulate) to subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place. In Windows, Net utility (Set-LocalUser) and PowerShell cmdlets (Set-ADAccountPassword) may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective. | Included alertsSecOpsGCPIAMCustomRoleDeletion SecOpsGCPIAMServiceAccountDisabled SecOpsGCPIAMServiceAccountDeletion SecOpsAWSIAMDeletePolicy SecOpsAwsKmsKeyDeletion SecOpsAwsMasterKeyDisabledOrDeletion SecOpsAWSIamSuccessfulGroupDeletion
| Prerequisites |
T1537 |
PurposeAdversaries may exfiltrate data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. This is because a defender who is monitoring data transfers may not be watching for transfers within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces. | Included alertsSecOpsGCPLoggingSinkModification
| Prerequisites |
T1548 |
PurposeAdversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system | Included alertsSecOpsLinuxSetuiSecapUtility SecOpsLinuxNOPASSWDSudoers SecOpsLinuxDoasToolExec SecOpsLinuxDoasConfigCreate SecOpsLinuxSudoFileModification SecOpsLinuxSetuidUsingChmod SecOpsBypassUserAccountControl
| Prerequisites |
T1552 |
PurposeAdversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (Bash History), operating system or application-specific repositories (Credentials in Registry), or other specialized files/artifacts (Private Keys). | Included alertsSecOpsAzureDevOpsSecretNotSecured SecOpsGCPSecretsManagerHighActivity SecOpsAWSSecretsManagerSensitiveAdminActionObserved SecOpsAwsGetSecretFromNonAmazonIp SecOpsWinWifiCredHarvestNetsh
| Prerequisites |
T1553 |
Purpose | Included alerts | Prerequisites |
