Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Cloud Lateral Movement Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process accessed multiple cloud credential files, which may indicate a credential theft activity.
Attacker's Goals
Gain initial access to the cloud environment.
Investigative actions
- Verify if the executing process is doing more suspicious activities.
- Verify if the exposed credential files were used to access to the cloud environment.
- Verify which operations were used against the cloud environment with the exposed credentials.
Variations
Suspicious access to cloud credential files of various cloud providers within a cloud instanceSuspicious access to cloud credential files within a cloud instance
Suspicious access to Windows cloud credential files of various cloud providers
Suspicious access to Windows cloud credential files by an unusual process
Suspicious access to cloud credential files of various cloud providers
Suspicious access to cloud credential files by an unusual process