Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
Cloud Lateral Movement Analytics |
ATT&CK Tactic |
Persistence (TA0003) |
ATT&CK Technique |
Account Manipulation: SSH Authorized Keys (T1098.004) |
Severity |
Informational |
Description
An identity attempted to modify the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Variations
Instance SSH keys were modified for the first time in the cloud provider
Synopsis
Description
An identity has modified the SSH keys of an instance for the first time in the cloud provider.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Suspicious cloud compute instance SSH keys modification by a service account
Synopsis
Description
A service account has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Suspicious cloud compute instance SSH keys modification
Synopsis
Description
An identity has modified the SSH keys of a single compute instance.
This may indicate an attacker's attempt to maintain persistence on the cloud instance.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Suspicious GCP project level metadata modification by a service account
Synopsis
Description
A service account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Suspicious GCP project level metadata modification
Synopsis
Description
An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.
Suspicious GCP project level metadata modification attempt
Synopsis
Description
An identity account has modified the metadata of the entire instances in the project.
This may indicate an attacker's attempt to perform lateral movement within the project.
Attacker's Goals
- Maintain persistence on a compromised compute instance.
- Escalate local privileges to gain root on compute instance.
Investigative actions
- Investigate if SSH keys were modified or added at the instance or project level.
- Investigate which permissions were obtained as a result of the SSH keys modification.