Unusual resource modification/creation

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
ATT&CK Tactic	Impact (TA0040) Persistence (TA0003)
ATT&CK Technique	Data Destruction (T1485) Account Manipulation (T1098)
Severity	Informational

Description

A cloud resource was modified/created by a newly seen user. The API call is unusual as it is normally executed by administrators or not popular within the organization.

Attacker's Goals

Evading detections, maintaining persistence and access to sensitive data.

Investigative actions

Check which resources were manipulated and their severity.
Check for abnormal activity by the executing identity before and after the manipulation.

Variations

Unusual resource modification/creation by newly seen user

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A cloud resource was modified/created by a newly seen user. The API call is unusual as it is normally executed by administrators or not popular within the organization.

Attacker's Goals

Evading detections, maintaining persistence and access to sensitive data.

Investigative actions

Check which resources were manipulated and their severity.
Check for abnormal activity by the executing identity before and after the manipulation.