Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
30 Minutes |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity allocated an unusual compute resource pool, suspected as mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Variations
Abnormal Unusual allocation of compute resources in multiple regions
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An identity allocated an unusual compute resource pool, suspected as mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Abnormal Suspicious allocation of compute resources in multiple regions
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An identity allocated an unusual compute resource pool, suspected as mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Abnormal Allocation of compute resources in a high number of regions
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An identity allocated an unusual compute resource pool, suspected as mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Abnormal Allocation of compute resources in multiple regions by an unusual identity
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity allocated an unusual compute resource pool, suspected as mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.