APT Activities Focused on Cloud Initial Access
As enterprises increasingly adopt hybrid or multi-cloud environments, adversaries have begun targeting these infrastructures using a variety of sophisticated techniques. In this context, it’s essential to uncover the most commonly used strategies employed by APTs for cloud initial access, along with effective detection approaches to counter these threats. Read More: https://cyberwarfare.live/uncovering-apt-strategies-for-cloud-initial-access/
1. Initial Access
1.1. Phishing
1.1.1. AITM
1.1.1.1. Monitoring login events associated with unexpected Geo-Regions
1.1.1.1.1. FROM filebeat* | WHERE event.action == "Sign-in activity" and event.outcome == "success" | WHERE NOT CIDR_MATCH(source.ip,"<IP Subnet>/24") | WHERE NOT source.geo.country_name IN ("India", "USA", "UK") | KEEP user.name, @timestamp, event.action , source.ip, source.geo.country_name, event.outcome
1.1.1.2. Deploying an CSS Canary Token
1.1.1.3. Applying conditional access policy
1.2. Valid Account
1.2.1. Cloud Accounts
1.2.1.1. Monitoring Unusual Login Patterns
1.2.1.1.1. Password Spraying
1.2.1.2. Detecting Multi-Factor Authentication (MFA) Bypass Attempts
1.2.1.2.1. FROM filebeat-* | WHERE event.action == "ConsoleLogin" and event.outcome == "failure" | EVAL sample = ENDS_WITH(aws.cloudtrail.additional_eventdata, "MFAUsed=Yes") | KEEP user.name , @timestamp, source.ip | STATS COUNT_DISTINCT(@timestamp) BY DATE_TRUNC(30 minutes, @timestamp), user.name, source.ip
1.2.1.3. Tracking Privilege Escalation Activities
1.2.1.3.1. Assume Role
1.2.1.3.2. CreateAccessKey
1.3. Exploit Public Facing Service
1.3.1. IMDS enabled VM services
1.3.1.1. data_stream.dataset: network_traffic.http and server.ip : 169.254.169.254 and http.request.method: "GET" and url.path : /latest/meta-data/*
1.3.1.1.1. /latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
1.3.1.1.2. /latest/meta-data/ami-id
1.3.1.1.3. /latest/meta-data/hostname
1.3.1.1.4. /latest/meta-data/public-ipv4