Cloud Security

Name Technique Tactic
AWS Cross Account Activity Use Alternate Authentication Material Defense Evasion
AWS Defense Evasion Impair Defenses, Disable or Modify Cloud Logs Defense Evasion
AWS IAM Privilege Escalation Cloud Account, Create Account Persistence
AWS Identity and Access Management Account Takeover Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
AWS Network ACL Activity Disable or Modify Cloud Firewall Defense Evasion
AWS Security Hub Alerts None None
AWS User Monitoring Cloud Accounts Defense Evasion
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring User Execution Execution
Azure Active Directory Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Resource Development
Azure Active Directory Persistence Account Manipulation, Valid Accounts Persistence
Azure Active Directory Privilege Escalation Account Manipulation Persistence
Cloud Cryptomining Unused/Unsupported Cloud Regions Defense Evasion
Cloud Federated Credential Abuse Image File Execution Options Injection, Event Triggered Execution Privilege Escalation
Dev Sec Ops Malicious Image, User Execution Execution
GCP Cross Account Activity Valid Accounts Defense Evasion
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Security User Execution Execution
Kubernetes Sensitive Object Access Activity None None
Office 365 Account Takeover Steal Application Access Token Credential Access
Office 365 Collection Techniques Email Forwarding Rule, Email Collection Collection
Office 365 Persistence Mechanisms Account Manipulation, Additional Cloud Roles Persistence
Suspicious AWS Login Activities Cloud Accounts Defense Evasion
Suspicious AWS S3 Activities Data from Cloud Storage Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
Suspicious Cloud Instance Activities Cloud Accounts, Valid Accounts Defense Evasion
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion
Suspicious Cloud User Activities Modify Cloud Compute Configurations Defense Evasion
Suspicious GCP Storage Activities Data from Cloud Storage Collection