Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity allocated multiple compute resources.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Variations
Unusual allocation of multiple cloud compute resources
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An identity allocated multiple compute resources.
This activity is highly unusual, such volume of compute allocation was not seen across all the projects during the past 30 days.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Unusual allocation of multiple cloud compute resources
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An identity allocated multiple compute resources.
This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Unusual allocation of multiple cloud compute resources
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An identity allocated multiple compute resources.
The allocated instances contains GPU accelerators, such pattern is related to a crypto mining activity.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Allocation of multiple cloud compute resources with accelerator gear
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity allocated multiple compute resources.
his activity is unusual for this identity in past 30 days.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.
Unusual allocation attempt of multiple cloud compute resources
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An identity attempted to allocate multiple compute resources.
This activity is highly unusual, such volume of compute allocation was not seen at in this project during the past 30 days.
Attacker's Goals
Leverage cloud compute resources to earn virtual currency.
Investigative actions
- Check the identity created resources and its legitimacy.
- Look for any unusual behavior originated from the suspected identity, and check if they're compromised, e.g. Access key, Service account, etc.