Page Comparison

T1526

Purpose

An adversary may attempt to enumerate the cloud services running on a system after gaining access, which can be platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.

Azure tools and APIs (Azure AD Graph API and Azure Resource Manager API) can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.

Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services.

Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.

Included alerts

1. SecOpsGCPGCSBucketEnumerated

2. SecOpsGCPKubernetesClusterPodScanDetection

3. SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions

Prerequisites

• cloud.gcp ^{learn more}

• cloud.aws.cloudtrail.events ^{learn more}

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

T1531

Purpose

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users (delete, lock or manipulate) to subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

In Windows, Net utility (Set-LocalUser) and PowerShell cmdlets (Set-ADAccountPassword) may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

Included alerts

1. SecOpsGCPIAMCustomRoleDeletion

2. SecOpsGCPIAMServiceAccountDisabled

3. SecOpsGCPIAMServiceAccountDeletion

4. SecOpsAWSIAMDeletePolicy

5. SecOpsAwsKmsKeyDeletion

6. SecOpsAwsMasterKeyDisabledOrDeletion

7. SecOpsAWSIamSuccessfulGroupDeletion

Prerequisites

• cloud.gcp ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

T1537

Purpose

Adversaries may exfiltrate data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

This is because a defender who is monitoring data transfers may not be watching for transfers within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Included alerts

1. SecOpsGCPLoggingSinkModification

Prerequisites

• cloud.gcp ^{learn more}

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

T1548

Purpose

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.

An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system

Included alerts

1. SecOpsLinuxSetuiSecapUtility

2. SecOpsLinuxNOPASSWDSudoers

3. SecOpsLinuxDoasToolExec

4. SecOpsLinuxDoasConfigCreate

5. SecOpsLinuxSudoFileModification

6. SecOpsLinuxSetuidUsingChmod

7. SecOpsBypassUserAccountControl

Prerequisites

• box.unix ^{learn more}

• box.all.win ^{learn more}

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

T1552

Purpose

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (Bash History), operating system or application-specific repositories (Credentials in Registry), or other specialized files/artifacts (Private Keys).

Included alerts

1. SecOpsAzureDevOpsSecretNotSecured

2. SecOpsGCPSecretsManagerHighActivity

3. SecOpsAWSSecretsManagerSensitiveAdminActionObserved

4. SecOpsAwsGetSecretFromNonAmazonIp

5. SecOpsWinWifiCredHarvestNetsh

Prerequisites

• cloud.azure.vm.unknown_events ^{learn more}

• box.all.win ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gcp ^{learn more}

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

T1553

Purpose

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.

Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. They are allowed to run signed by a valid code certificate and the user is warned about an attribute set downloaded from the Internet or an untrusted site.

The method used will depend on the specific mechanism they seek to subvert (File and Directory Permissions Modification or Modify Registry). They may also create or steal code signing certificates to acquire trust on target systems.

Included alerts

1. SecOpsWinAttemptToAddCertificateToStore

Prerequisites

• box.all.win ^{learn more}

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

T1555

Image Added

Purpose

Adversaries may search for common password storage locations to obtain user credentials. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain.

Included alerts

1. SecOpsWinRegistryModificationStoreLogonCred

Prerequisites

• box.all.win ^{learn more}

• SecOpsAlertDescription

• SecOpsAssetRole

T1556