1. Home
  2. Data Sources
  3. Cloud Service

Cloud Service

Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs[1][2]

ID: DS0025
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Collection Layer: Cloud Control Plane
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 17 November 2024
Version Permalink

Data Components

Cloud Service: Cloud Service Disable

This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:

  • AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
  • Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
  • Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
  • SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.

This data component can be collected through the following measures:

Enable and Monitor Cloud Service Logging

  • Ensure logging is enabled for all cloud services, including administrative actions like StopLogging.
  • Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule.

API Monitoring

  • Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms.
  • Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users.

SIEM Integration

  • Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation.
  • Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel.

Cloud Security Posture Management (CSPM) Tools

  • Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging.
  • Example: Set alerts for changes to logging configurations in CSPM dashboards.

Configure Alerts in Cloud Platforms

  • Create native alerts in cloud platforms to detect service stoppages.
  • Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked.

Cloud Service: Cloud Service Disable

This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:

  • AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
  • Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
  • Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
  • SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.

This data component can be collected through the following measures:

Enable and Monitor Cloud Service Logging

  • Ensure logging is enabled for all cloud services, including administrative actions like StopLogging.
  • Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule.

API Monitoring

  • Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms.
  • Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users.

SIEM Integration

  • Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation.
  • Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel.

Cloud Security Posture Management (CSPM) Tools

  • Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging.
  • Example: Set alerts for changes to logging configurations in CSPM dashboards.

Configure Alerts in Cloud Platforms

  • Create native alerts in cloud platforms to detect service stoppages.
  • Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked.
Domain ID Name Detects
Enterprise T1562 Impair Defenses

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[3] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[4] In Azure, monitor for az monitor diagnostic-settings delete.[5] Additionally, a sudden loss of a log source may indicate that it has been disabled.
.008 Disable or Modify Cloud Logs

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging, UpdateTrail DeleteTrail.[3] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink and google.logging.v2.ConfigServiceV2.DeleteSink.[4] In Azure, monitor for az monitor diagnostic-settings update and az monitor diagnostic-settings delete.[5] Additionally, a sudden loss of a log source may indicate that it has been disabled.

Cloud Service: Cloud Service Enumeration

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

This data component can be collected through the following measures:

Enable Cloud Activity Logging

  • Ensure cloud service logs are enabled for API calls and resource usage.
  • Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries.

Centralize Logs in a SIEM

  • Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel).
  • Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration.

Use Native Cloud Security Tools

  • Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center.
  • Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user.

Implement Network Flow Logging

  • Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity.
  • Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane.

API Access Monitoring

  • Monitor API keys and tokens used for enumeration to identify misuse or compromise.
  • Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.

Cloud Service: Cloud Service Enumeration

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

This data component can be collected through the following measures:

Enable Cloud Activity Logging

  • Ensure cloud service logs are enabled for API calls and resource usage.
  • Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries.

Centralize Logs in a SIEM

  • Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel).
  • Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration.

Use Native Cloud Security Tools

  • Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center.
  • Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user.

Implement Network Flow Logging

  • Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity.
  • Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane.

API Access Monitoring

  • Monitor API keys and tokens used for enumeration to identify misuse or compromise.
  • Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.
Domain ID Name Detects
Enterprise T1526 Cloud Service Discovery

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.
Enterprise T1555 Credentials from Password Stores

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))
.006 Cloud Secrets Management Stores

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from the secrets manager, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity")(eventName IN ("GetSecretValue", "gcloud secrets describe", "az key vault secret show"))| eval User=coalesce(userIdentity.arn, protoPayload.authenticationInfo.principalEmail, claims.user)| eval Service=coalesce(eventSource, protoPayload.serviceName, claims.aud)| eval AccountType=case( match(User, "root|admin|superuser"), "High-Privilege", match(User, "serviceaccount|svc|automation"), "Service-Account", true(), "Standard-User")| eval Platform=case( sourcetype=="aws:cloudtrail", "AWS", sourcetype=="gcp:logging", "GCP", sourcetype=="azure:activity", "Azure", true(), "Unknown")| where AccountType != "High-Privilege"

Analytic 2 - Cloud Service Enumeration

index=cloud_logs sourcetype IN ("aws:cloudtrail", "gcp:logging", "azure:activity") | search (sourcetype="aws:cloudtrail" eventName="GetSecretValue" OR sourcetype="gcp:pubsub:message" methodName="google.iam.credentials.v1.*" OR sourcetype="azure:eventhub" operationName="Microsoft.KeyVault/vaults/secrets/read")
Enterprise T1046 Network Service Discovery

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

Cloud Service: Cloud Service Metadata

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.

This data component can be collected through the following measures:

Enable Cloud Metadata APIs

  • Leverage APIs provided by cloud providers to query metadata about services.
    • AWS: Use AWS CLI or SDKs for DescribeInstances, DescribeBuckets, etc.
    • Azure: Use az resource list or SDKs.
    • Google Cloud: Use gcloud compute instances describe or related commands.
    • Office 365: Use Microsoft Graph API.

Centralize Metadata in a Security Platform

  • Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel.

Enable Continuous Monitoring

  • Set up automated jobs or workflows to regularly query and update metadata.
  • Example: Use AWS Config to track resource configurations and changes over time.

Configure Access and Logging

  • Enable logging for API queries to ensure access and usage of metadata are monitored.
  • Example: Use AWS CloudTrail to log API activity for metadata queries.

Use Cloud Security Tools

  • Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations.
  • Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.

Cloud Service: Cloud Service Metadata

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.

This data component can be collected through the following measures:

Enable Cloud Metadata APIs

  • Leverage APIs provided by cloud providers to query metadata about services.
    • AWS: Use AWS CLI or SDKs for DescribeInstances, DescribeBuckets, etc.
    • Azure: Use az resource list or SDKs.
    • Google Cloud: Use gcloud compute instances describe or related commands.
    • Office 365: Use Microsoft Graph API.

Centralize Metadata in a Security Platform

  • Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel.

Enable Continuous Monitoring

  • Set up automated jobs or workflows to regularly query and update metadata.
  • Example: Use AWS Config to track resource configurations and changes over time.

Configure Access and Logging

  • Enable logging for API queries to ensure access and usage of metadata are monitored.
  • Example: Use AWS CloudTrail to log API activity for metadata queries.

Use Cloud Security Tools

  • Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations.
  • Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.
Domain ID Name Detects
Enterprise T1530 Data from Cloud Storage

Monitor M365 Audit logs for TeamsSessionStarted Operations against MicrosoftTeams workloads involving suspicious ClientIPs and suspect accounts (UserId).

Analytic 1 - Sessions initiated from unusual IP addresses, high volume of sessions from a single account, sessions at unusual times

"`index=""m365_audit_logs"" Operation=""TeamsSessionStarted""| stats count by UserId, ClientIP, CreationTime| where ClientIP!=""expected_ip"" OR UserId!=""expected_user""| sort by CreationTime"
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Monitor M365 Audit logs for FileAccessed operations against Sharepoint workloads. Scrutinize event metadata such as client IP address, ObjectId, UserId, User Agent, and Authentication type.

Analytic 1 - Unusual file access patterns by users, anomalous IP addresses, or suspicious User Agents

index="m365_audit_logs" Operation="FileAccessed"| stats count by UserId, ClientIP, ObjectId, UserAgent, AuthenticationType| where UserId!="expected_user" OR ClientIP!="expected_ip" OR UserAgent!="expected_user_agent" OR AuthenticationType!="expected_auth_type"
Enterprise T1114 .003 Email Collection: Email Forwarding Rule

Monitor M365 Audit logs for AlertTriggered operations with rule name "Creation of forwarding/redirect rule." or for New-InboxRule operations against Exchange Workloads. Look for anomalous modification properties such as actor user ID. An example event can show the creation of an email forwarding rule for a victim user

Analytic 1 - Unauthorized email forwarding rule creation activities

Note: To detect unauthorized email forwarding rule creation activities in M365 Audit logs.

`index="m365_audit_logs" Operation="AlertTriggered" RuleName="Creation of forwarding/redirect rule"| stats count by Actor, TargetUser| where Actor!="expected_actor" AND TargetUser!="expected_target_user"

Analytic 2 - Unauthorized email forwarding rule creation activities

`index="m365_audit_logs" Operation="New-InboxRule"| stats count by UserId, Parameters.ForwardTo| where UserId!="expected_user" AND Parameters.ForwardTo!="expected_forwarding_address"
Enterprise T1578 Modify Cloud Compute Infrastructure

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions.[6]

Cloud Service: Cloud Service Modification

Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:

  • AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
  • Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
  • Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
  • Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.

This data component can be collected through the following measures:

Enable Cloud Audit Logging

  • AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail.
  • Azure: Use Azure Activity Logs to monitor resource changes and access actions.
  • Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes.
  • Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions.

Centralize Log Storage

  • Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud.

Automate Alerts for Sensitive Changes

  • Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles.
  • AWS Example: Use AWS Config rules to detect and notify changes to critical services.
  • Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources.

Enable Continuous Monitoring

  • Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.

Cloud Service: Cloud Service Modification

Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:

  • AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
  • Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
  • Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
  • Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.

This data component can be collected through the following measures:

Enable Cloud Audit Logging

  • AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail.
  • Azure: Use Azure Activity Logs to monitor resource changes and access actions.
  • Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes.
  • Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions.

Centralize Log Storage

  • Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud.

Automate Alerts for Sensitive Changes

  • Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles.
  • AWS Example: Use AWS Config rules to detect and notify changes to critical services.
  • Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources.

Enable Continuous Monitoring

  • Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.
Domain ID Name Detects
Enterprise T1671 Cloud Application Integration

Monitor for additions and changes to applications in the SaaS environment.

Enterprise T1546 Event Triggered Execution

Monitor the creation and modification of cloud resources that may be abused for persistence, such as functions and workflows monitoring cloud events.
Enterprise T1562 Impair Defenses

Monitor changes made to cloud services for unexpected modifications to settings and/or data.
.008 Disable or Modify Cloud Logs

Monitor changes made to cloud services for unexpected modifications to settings and/or data.

Analytic 1 - Operations performed by unexpected initiators, frequent modifications, changes to critical resources

index="azure_activity_logs" OperationName="Create or update resource diagnostic setting"| stats count by InitiatorName, ResourceID, Status| where Status!="Succeeded" OR InitiatorName!="expected_initiator"| sort by Time
Enterprise T1556 Modify Authentication Process

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.

Analytic 1 - Changes to access policies without corresponding change requests.

index=cloud_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("UpdateServicePrincipal", "UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy", "ModifyAuthenticationMethod") OR protoPayload.methodName IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update", "Set-AzureADApplicationProxyConnector", "Update-PassThroughAuthentication") OR (eventName="Sign-in" AND targetResourceType="applicationProxyConnector"))

.009 Conditional Access Policies

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.
Enterprise T1578 .005 Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations

Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. In Azure environments, monitor for changes to tenant-level settings such as enabled regions.[6]
Enterprise T1666 Modify Cloud Resource Hierarchy

Monitor for changes to resource groups, such as creating new resource groups or leaving top-level management groups. In Azure environments, monitor for changes to subscriptions.[6] In AWS environments, monitor for API calls such as CreateAccount or LeaveOrganization.[7]
Enterprise T1496 Resource Hijacking

Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled.
.004 Cloud Service Hijacking

Monitor for changes to SaaS services, especially when quotas are raised or when new services are enabled. In AWS environments, watch for calls to Bedrock APIs like PutUseCaseForModelAccess, PutFoundationModelEntitlement, and InvokeModel and SES APIs like UpdateAccountSendingEnabled.[8][9]
Enterprise T1648 Serverless Execution

Monitor for unusual Serverless function modifications, such as adding roles to a function that allow unauthorized access or execution.

Analytic 1 - Tracks actions related to creating or modifying serverless functions

index=cloud_logs sourcetype=aws:iam OR sourcetype=azure:activity OR sourcetype=gcp:iam| search action IN ("iam:PassRole", "iam:CreateFunction", "iam:AddPermission", "iam:UpdateFunctionConfiguration")

References

  1. Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.
  2. Microsoft. (n.d.). Azure products. Retrieved November 17, 2024.
  3. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  4. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  5. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  1. Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.
  2. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  3. Lacework Labs. (2024, June 6). Detecting AI resource-hijacking with Composite Alerts. Retrieved September 25, 2024.
  4. Nathan Eades. (2023, January 12). SES-pionage. Retrieved September 25, 2024.