Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process accessed multiple cloud credential files, which may indicate a credential theft activity.
Attacker's Goals
Gain initial access to the cloud environment.
Investigative actions
- Verify if the executing process is doing more suspicious activities.
- Verify if the exposed credential files were used to access to the cloud environment.
- Verify which operations were used against the cloud environment with the exposed credentials.
Variations
Suspicious access to Windows cloud credential files of various cloud providersSuspicious access to Windows cloud credential files by an unusual process
Suspicious access to cloud credential files of various cloud providers
Suspicious access to cloud credential files by an unusual process