Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Account Takover attacks against Google Cloud Platform tenants.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2022-10-12
  • Author: Mauricio Velazco, Bhavin Patel, Splunk
  • ID: 8601caff-414f-4c6d-9a04-75b66778869d

Narrative

Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.

Detections

Name Technique Type
GCP Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
GCP Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication TTP
GCP Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts TTP
GCP Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
GCP Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
GCP Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly

Reference

source | version: 1