Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 70 Next »

V1.5

T1526

Cloud Service Discovery

Purpose

An adversary may attempt to enumerate the cloud services running on a system after gaining access, which can be platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.

Azure tools and APIs (Azure AD Graph API and Azure Resource Manager API) can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.

Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services.

Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.

Included alerts

  1. SecOpsGCPGCSBucketEnumerated

  2. SecOpsGCPKubernetesClusterPodScanDetection

  3. SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions

Prerequisites

DATA SOURCES

LOOKUPS

T1531

Account Access Removal

Purpose

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users (delete, lock or manipulate) to subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

In Windows, Net utility (Set-LocalUser) and PowerShell cmdlets (Set-ADAccountPassword) may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

Included alerts

  1. SecOpsGCPIAMCustomRoleDeletion

  2. SecOpsGCPIAMServiceAccountDisabled

  3. SecOpsGCPIAMServiceAccountDeletion

  4. SecOpsAWSIAMDeletePolicy

  5. SecOpsAwsKmsKeyDeletion

  6. SecOpsAwsMasterKeyDisabledOrDeletion

  7. SecOpsAWSIamSuccessfulGroupDeletion

Prerequisites

DATA SOURCES

LOOKUPS

T1537

Transfer Data to Cloud Account

Purpose

Adversaries may exfiltrate data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

This is because a defender who is monitoring data transfers may not be watching for transfers within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Included alerts

  1. SecOpsGCPLoggingSinkModification

Prerequisites

DATA SOURCES

LOOKUPS

T1547

Boot or Logon Autostart Execution

Purpose

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

Operating systems may have mechanisms to automatically run a program on system boot or account logon, which may include automatically executing programs placed in specially designated directories or in repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

Included alerts

  1. SecOpsLinuxInstallKernelModprobe

  2. SecOpsLinuxInsertKernelInsmod

  3. SecOpsWinRegistryModificationRunKeyAdded

Prerequisites

DATA SOURCES

LOOKUPS

T1548

Abuse Elevation Control Mechanism

Purpose

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.

An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system

Included alerts

  1. SecOpsLinuxSetuiSecapUtility

  2. SecOpsLinuxNOPASSWDSudoers

  3. SecOpsLinuxDoasToolExec

  4. SecOpsLinuxDoasConfigCreate

  5. SecOpsLinuxSudoFileModification

  6. SecOpsLinuxSetuidUsingChmod

  7. SecOpsBypassUserAccountControl

Prerequisites

DATA SOURCES

LOOKUPS

T1552

Unsecured Credentials

Purpose

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (Bash History), operating system or application-specific repositories (Credentials in Registry), or other specialized files/artifacts (Private Keys).

Included alerts

  1. SecOpsAzureDevOpsSecretNotSecured

  2. SecOpsGCPSecretsManagerHighActivity

  3. SecOpsAWSSecretsManagerSensitiveAdminActionObserved

  4. SecOpsAwsGetSecretFromNonAmazonIp

  5. SecOpsWinWifiCredHarvestNetsh

Prerequisites

DATA SOURCES

LOOKUPS

T1553

Subvert Trust Controls

Purpose

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.

Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. They are allowed to run signed by a valid code certificate and the user is warned about an attribute set downloaded from the Internet or an untrusted site.

The method used will depend on the specific mechanism they seek to subvert (File and Directory Permissions Modification or Modify Registry). They may also create or steal code signing certificates to acquire trust on target systems.

Included alerts

  1. SecOpsWinAttemptToAddCertificateToStore

Prerequisites

DATA SOURCES

LOOKUPS

T1555

Credentials from Password Stores

Purpose

Adversaries may search for common password storage locations to obtain user credentials. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain.

Included alerts

  1. SecOpsWinRegistryModificationStoreLogonCred

Prerequisites

DATA SOURCES

LOOKUPS

T1556

Modify Authentication Process

Purpose

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts, being able to authenticate to a service or system without using Valid Accounts.

The authentication process is handled by mechanisms responsible responsible for gathering, storing, and validating credentials

  • Windows: Local Security Authentication Server (LSASS) and or Security Accounts Manager (SAM).

  • Unix-based systems: pluggable authentication modules (PAM).

  • MacOS systems: authorization plugins.

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

Included alerts

  1. SecOpsO365DisableMFA

Prerequisites

DATA SOURCES

  • cloud.office365.management.azureactivedirectory learn more

LOOKUPS

T1558

Steal or Forge Kerberos Tickets

Purpose

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as "realms", there are three basic participants: client, service, and Key Distribution Center (KDC).

Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.

Included alerts

  1. SecOpsWinGoldenSamlCertificateExport

  2. SecOpsWinADDomainEnumeration

Prerequisites

DATA SOURCES

LOOKUPS

T1562

Impair Defenses

Purpose

This alert pack helps you protect against an adversary that has infiltrated your system and is trying to remove barriers for other adversaries. It provides the necessary information to stop and remediate any damage caused before it is too late.

Adversaries may maliciously modify components of a victim’s environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus but also detection capabilities that can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Included alerts

  1. SecOpsLinuxPotentialDisableSELinux

  2. SecOpsGCPLoggingSinkDeletion

  3. SecOpsAWSLoggingConfigurationChangeObservedStopLogging

  4. SecOpsAzureFWPolicyDeletion

  5. SecOpsGCPLoggingBucketDeletion

  6. SecOpsAWSNetworkAccessControlListDeleted

  7. SecOpsAzureFrontDoorWafPolicyDeletion

  8. SecOpsGCPGCEFirewallRuleCreation

  9. SecOpsAWSOpenNetworkACLs

  10. SecOpsAzureDevOpsAuditDisabled

  11. SecOpsGCPGCEFirewallRuleDeletion

  12. SecOpsAWSLoggingConfigurationChangeObservedRemoveTags

  13. SecOpsGCPPubSubTopicDeletion

  14. SecOpsO365MailboxAuditBypass

  15. SecOpsWinDisableAntispywareRegistry

  16. SecOpsGCPGCEFirewallRuleModification

  17. SecOpsO365BypassMFAviaIP

  18. SecOpsWinCritServiceStopped

  19. SecOpsGCPPubSubSubscriptionDeletion

  20. SecOpsAWSLoggingConfigurationChangeObservedDeleteTrail

Prerequisites

DATA SOURCES

LOOKUPS

T1566

Phishing

Purpose

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted at a specific individual, company, or industry, which is known as spearphishing, or mass malware spam campaigns, which is known as non-targeted phishing.

Adversaries may send victims emails or use social media to send malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also involve social engineering techniques (posing as a trusted source), as well as evasive techniques (removing or manipulating emails or metadata/headers from the compromised accounts used as senders as in Email Hiding Rules). They also forge or spoof the identity of the sender which can be used to fool both the human recipient as well as automated security tools.

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer.

Included alerts

  1. SecOpsO365PhishAttempt

  2. SecOpsMimecastMessageWithHighSpamScore

  3. SecOpsMimecastMessageWithVirusDetections

Prerequisites

DATA SOURCES

LOOKUPS

T1578

Modify Cloud Compute Infrastructure

Purpose

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.

Included alerts

  1. SecOpsAzureHybridHealthADFSNewServer

  2. SecOpsAzureHybridHealthADFSDelete

  3. SecOpsAwsECRContainerUploadOutsideBusinessHours

  4. SecOpsAwsDbSnapshotCreated

Prerequisites

DATA SOURCES

LOOKUPS

T1580

Cloud Infrastructure Discovery

Purpose

This alert pack will let you know when the attackers are looking for valuable information about your clouds and can help your team respond to all discovery threats.

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Included alerts

  1. SecOpsGCPAuditUnauthorizedAPICalls

  2. SecOpsGCPAuditListQueues

  3. SecOpsGCPPossibleReconnaissanceActivity

  4. SecOpsGCPPortScan

  5. SecOpsGCPGCPloitExploitationFrameworkActivity

  6. SecOpsAwsCloudTrailReconEvent

  7. SecOpsGCPPortSweep

Prerequisites

DATA SOURCES

LOOKUPS

  • No labels