Initial construction of a cloud volume (ex: AWS create-volume)
Initial construction of a cloud volume (ex: AWS create-volume)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | 修改云计算基础设施 |
Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
Removal of a a cloud volume (ex: AWS delete-volume)
Removal of a a cloud volume (ex: AWS delete-volume)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | 修改云计算基础设施 |
Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| Enterprise | T1485 | 数据销毁 |
Monitor for unexpected deletion of a cloud volume (ex: AWS |
|
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1580 | 云基础设施发现 |
Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
|
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Contextual data about a cloud volume and activity around it, such as id, type, state, and size
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1578 | 修改云计算基础设施 |
Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
|
| Enterprise | T1611 | 逃逸至主机 |
Monitor cluster-level (Kubernetes) data and events associated with changing containers' volume configurations. |
|