Modify Cloud Compute Infrastructure: Создание облачного экземпляра
Other sub-techniques of Modify Cloud Compute Infrastructure (5)
An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may Create Snapshot of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect Data from Local System or for Remote Data Staging.(Citation: Mandiant M-Trends 2020) Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.
Примеры процедур |
|
| Название | Описание |
|---|---|
|
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022) |
|
| LAPSUS$ |
LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.(Citation: MSTIC DEV-0537 Mar 2022) |
| Scattered Spider |
During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered Spider Advisory November 2023) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity.
In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM.(Citation: Cloud Audit Logs)
Ссылки
- Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020.
- Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.
- Google. (n.d.). Audit Logs. Retrieved June 1, 2020.
- Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020.
- Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.