Allocation of compute resources in multiple regions

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	30 Minutes
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
ATT&CK Tactic	Impact (TA0040) Initial Access (TA0001)
ATT&CK Technique	Resource Hijacking (T1496) Valid Accounts (T1078)
Severity	Low

An identity allocated an unusual compute resource pool, suspected as mining activity.

Leverage cloud compute resources to earn virtual currency.

Check the identity created resources and its legitimacy.
Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.

ATT&CK Tactic

ATT&CK Technique

Severity

High

An identity allocated an unusual compute resource pool, suspected as mining activity.

Leverage cloud compute resources to earn virtual currency.

Check the identity created resources and its legitimacy.
Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.

ATT&CK Tactic

ATT&CK Technique

Severity

High

An identity allocated an unusual compute resource pool, suspected as mining activity.

Leverage cloud compute resources to earn virtual currency.

Check the identity created resources and its legitimacy.
Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.

ATT&CK Tactic

ATT&CK Technique

Severity

High

An identity allocated an unusual compute resource pool, suspected as mining activity.

Leverage cloud compute resources to earn virtual currency.

Check the identity created resources and its legitimacy.
Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.