The establishment of a task or job that will execute at a predefined time or based on specific triggers. *Data Collection Measures: * - Windows Event Logs: - Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks. - Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs. - Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution. - Sysmon (Windows): - Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by schtasks.exe, at.exe, or taskeng.exe. - Linux/macOS Monitoring: - AuditD: Monitor modifications to /etc/cron*, /var/spool/cron/, and crontab files. - Syslog: Capture cron job execution logs from /var/log/cron. - OSQuery: Query the crontab and launchd tables for scheduled job configurations. - Endpoint Detection and Response (EDR) Tools: - Track scheduled task creation and modification events. - SIEM & XDR Detection Rules: - Monitor for scheduled jobs created by unusual users. - Detect tasks executing scripts from non-standard directories.

An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation. Data Collection Measures: - Host-Based Authentication Logs - Windows Event Logs - Event ID 4776 – NTLM authentication attempt. - Event ID 4624 – Successful user logon. - Event ID 4625 – Failed authentication attempt. - Event ID 4648 – Explicit logon with alternate credentials. - Linux/macOS Authentication Logs - /var/log/auth.log, /var/log/secure – Logs SSH, sudo, and other authentication attempts. - AuditD – Tracks authentication events via PAM modules. - macOS Unified Logs – /var/db/diagnostics captures authentication failures. - Cloud Authentication Logs - Azure AD Logs - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures. - Audit Logs – Captures authentication-related configuration changes. - Microsoft Graph API – Provides real-time sign-in analytics. - Google Workspace & Office 365 - Google Admin Console – User Login Report tracks login attempts and failures. - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams. - AWS CloudTrail & IAM - Tracks authentication via AWS IAM AuthenticateUser and sts:GetSessionToken. - Logs failed authentications to AWS Management Console and API requests. - Container Authentication Monitoring - Kubernetes Authentication Logs - kubectl audit logs – Captures authentication attempts for service accounts and admin users. - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events.

Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers. Data Collection Measures: - Windows Security Event Logs: - Event ID 5861 (WMI Permanent Event Subscription) - Event ID 5860 (WMI Event Filter Activity) - Event ID 5857 (WMI Event Consumer Activity) - Sysmon Logs: - Sysmon Event ID 19 – WMI Event Filter Created - Sysmon Event ID 20 – WMI Event Consumer Created - Sysmon Event ID 21 – WMI Event Binding Created - Endpoint Detection & Response (EDR) - Detects WMI-based persistence techniques.

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4726 – A user account was deleted. - Event ID 4733/4735 – A user was removed from a privileged group. - Event ID 1102 – Security log was cleared (potential cover-up). - Linux/macOS Authentication Logs - /var/log/auth.log, /var/log/secure – Logs userdel, deluser, passwd -l. - AuditD – Tracks account deletions via PAM events (userdel). - OSQuery – The users table can detect account removal. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks user and service account deletions. - Azure Graph API – Monitors identity changes. - AWS IAM & CloudTrail Logs - DeleteUser, DeleteRole – Tracks IAM user deletion. - DetachRolePolicy – Identifies privilege revocation before deletion. - Google Workspace & Office 365 Logs - Google Admin Console – Logs user removal activities. - Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory. - Container & Network Account Deletion Logs - Kubernetes Service Account Deletion - kubectl audit logs – Detects when service accounts are removed from pods. - GKE/Azure AKS Logs – Track containerized identity removals.

Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4738 – A user account was changed. - Event ID 4725 – A user account was disabled. - Event ID 4724 – An attempt was made to reset an account's password. - Event ID 4767 – A user account was unlocked. - Linux/macOS Authentication Logs - /var/log/auth.log, /var/log/secure – Tracks account modifications (usermod, chage, passwd). - AuditD – Monitors account changes (useradd, usermod, gpasswd). - OSQuery – Queries the users table for recent modifications. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks modifications to users and security groups. - Azure Graph API – Captures changes to authentication policies and MFA settings. - AWS IAM & CloudTrail Logs - ModifyUser, UpdateLoginProfile – Captures changes to IAM user attributes. - AttachUserPolicy, AddUserToGroup – Detects policy and group modifications. - Google Workspace & Office 365 Logs - Google Admin Console – Logs account changes, role modifications, and group membership updates. - Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes. - Container & Network Account Modification Logs - Kubernetes Service Account Changes - kubectl audit logs – Detects service account modifications in Kubernetes clusters. - GKE/Azure AKS Logs – Monitors role and permission changes.

The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system. Data Collection Measures: - Host-Based Logging - Windows Event Logs - Event ID 4720 – A new user account was created. - Event ID 4732/4735 – A user was added to a privileged group. - Event ID 4798 – Enumeration of user accounts. - Linux/macOS Authentication Logs - /var/log/auth.log, /var/log/secure – Logs useradd, adduser, passwd, and groupmod activities. - AuditD – Detects new account creation via PAM (useradd, usermod). - OSQuery – The users table tracks newly created accounts. - Cloud-Based Logging - Azure AD Logs - Azure AD Audit Logs – Tracks new user and service account creation. - Azure Graph API – Provides logs on new account provisioning. - AWS IAM & CloudTrail Logs - CreateUser, CreateRole – Tracks new IAM user creation. - AttachRolePolicy – Identifies privilege escalation via account creation. - Google Workspace & Office 365 Logs - Google Admin Console – Logs user creation in User Accounts API. - Microsoft 365 Unified Audit Log – Tracks new account provisioning. - Container & Network Account Creation Logs - Kubernetes Account Creation Logs - kubectl audit logs – Detects new service account provisioning. - GKE/Azure AKS Logs – Track new container service accounts.

Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples: - Azure Compute Service Image Creation - Example: Creating a virtual machine image in Azure using Azure CLI: az image create --resource-group MyResourceGroup --name MyImage --source MyVM - AWS EC2 AMI (Amazon Machine Image) Creation - Example: Creating an AMI from an EC2 instance: aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app" - Google Cloud Compute Engine Image Creation - Example: Creating a custom image using gcloud: gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a - VMware vSphere - Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering. This data component can be collected through the following measures: Enable Cloud Platform Logging - Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to Microsoft.Compute/images. - AWS: Use AWS CloudTrail to monitor CreateImage API calls. - Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under compute.googleapis.com/images. API Monitoring - Monitor API activity to track the creation of new images using: - AWS SDK/CLI CreateImage. - Azure REST API for image creation. - Google Cloud Compute Engine APIs. Cloud SIEM Integration - Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.

When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components. Data Collection Measures: - Event Logging (Windows): - Sysmon Event ID 7: Logs when a DLL is loaded into a process. - Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads. - Windows Defender ATP: Can provide visibility into suspicious module loads. - Event Logging (Linux/macOS): - AuditD (execve and open syscalls): Captures when shared libraries (.so files) are loaded. - Ltrace/Strace: Monitors process behavior, including library calls (dlopen, execve). - MacOS Endpoint Security Framework (ESF): Monitors library loads (ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES). - Endpoint Detection & Response (EDR): - Provide real-time telemetry on module loads and process injections. - Sysinternals Process Monitor (procmon): Captures loaded modules and their execution context. - Memory Forensics: - Volatility Framework (malfind, ldrmodules): Detects injected DLLs and anomalous module loads. - Rekall Framework: Useful for kernel-mode module detection. - SIEM and Log Analysis: - Centralized log aggregation to correlate suspicious module loads across the environment. - Detection rules using correlation searches and behavioral analytics.

Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples: - AWS S3 Bucket Enumeration: An AWS user lists all buckets using the ListBuckets API call. - Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API. - Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the storage.buckets.list API. - OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the GET method on the storage endpoint. This data component can be collected through the following measures: Enable Logging for Cloud Storage Enumeration - AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration. - Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity. - OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration. Centralized Log Aggregation - Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.

Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs can monitor memory modifications and API-level calls. - Sysmon (Windows): - Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing. - Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts. - Linux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts. - eBPF/XDP: Monitors low-level system calls related to process modifications. - OSQuery: The processes table can be queried for unusual modifications. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process. - Syslog/OSSEC: Monitors logs for suspicious modifications.

Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Leverage tools to monitor API execution behaviors at the process level. - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation. - Process Monitor (ProcMon): - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis. - Windows Event Logs: - Use Event IDs from Windows logs for specific API-related activities: - Event ID 4688: A new process has been created (can indirectly infer API use). - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs). - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation. - Host-Based Logs: - On Linux/macOS systems, leverage audit frameworks (e.g., auditd, strace) to capture and analyze system call usage that APIs map to. - Runtime Monitors: - Runtime security tools like Falco can monitor system-level calls for API execution. - Debugging and Tracing: - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.

Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples: AWS S3: An object is uploaded or its ACL is modified. - Azure Blob Storage: A blob's metadata or permissions are updated. - Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed. - OpenStack Swift: Modifications to container settings or uploading of new objects. This data component can be collected through the following measures: Enable Logging - AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob Storage: Use Azure Monitor to log write and update operations. - Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update. - OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates. Use Cloud Monitoring Tools - Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes. Centralized Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis. Periodic API Queries - AWS CLI Example: Query recent modifications to bucket policies: aws s3api get-bucket-policy --bucket sensitive-data - Azure CLI Example: List changes to a blob container: az storage blob show --container-name private-docs - Google Cloud CLI Example: Check metadata updates: gcloud storage objects describe gs://user-uploads/document.txt

Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples: - AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the CreateBucket API call. - Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the Create Container operation. - Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using storage.buckets.create. - OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the PUT method. This data component can be collected through the following measures: Enable Logging for Cloud Storage Services - AWS S3: Enable AWS CloudTrail to log CreateBucket API actions. - Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations. - Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls. - OpenStack Swift: Configure Swift logging to capture PUT requests to new containers. Centralized Logging and Analysis - Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.

Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples: - AWS S3 Access: An adversary uses the GetObject API to retrieve sensitive data from an AWS S3 bucket. - Azure Blob Storage Access: A user accesses a blob in Azure Storage using Get Blob or Get Blob Properties. - Google Cloud Storage Access: An adversary uses storage.objects.get to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the GET method. This data component can be collected through the following measures: Enable Logging for Cloud Storage Services - AWS S3: Enable Server Access Logging to capture API calls like GetObject and store them in a designated S3 bucket. - Azure Storage: Enable Azure Storage Logging to capture operations like GetBlob and log metadata. - Google Cloud Storage: Enable Data Access audit logs for storage.objects.get API calls. - OpenStack Swift: Configure middleware for object logging to capture GET requests. Centralize and Aggregate Logs - Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers. - AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM. - Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs. Correlate with IAM Logs - Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities.

Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples: - AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions. - Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags. - Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status. - OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes. This data component can be collected through the following measures: Enable Logging for Metadata Collection - AWS S3: Use AWS CloudTrail to log GetBucketAcl, GetBucketPolicy, and HeadBucket API calls. - Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates. - Google Cloud Storage: Enable Google Cloud Audit Logs to capture storage.buckets.get and storage.buckets.update. - OpenStack Swift: Enable logging of HEAD or GET requests to containers. Centralized Log Aggregation - Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs. - Correlate metadata access with user actions, IP addresses, and other contextual data. API Polling - Use cloud SDKs or APIs to periodically query metadata for analysis: - AWS CLI Example: aws s3api get-bucket-acl --bucket company-sensitive-data - Azure CLI Example: az storage container show --name customer-records - Google Cloud CLI Example: gcloud storage buckets describe user-uploads

contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples: - Azure Compute Service Image Metadata Example: - Name: MyCustomImage - Resource Group: MyResourceGroup - State: Available - Type: Managed Image - AWS EC2 AMI Metadata Example: - Image ID: ami-1234567890abcdef0 - Name: ProdImage - State: Available - Platform: Windows - Google Cloud Compute Engine Image Metadata Example: - Image Name: webserver-image - Project: my-project-id - Family: webserver - Source Disk: my-disk-id - VMware vSphere Template Metadata Example: - Name: LinuxTemplate - Disk Size: 40GB - Network Adapter: VM Network This data component can be collected through the following measures: Cloud Platform-Specific Tools - Azure: - Use Azure CLI to query metadata: az image show --name MyCustomImage --resource-group MyResourceGroup - AWS: - Use AWS CLI to describe AMI metadata: aws ec2 describe-images --image-ids ami-1234567890abcdef0 - Google Cloud: - Use Google Cloud SDK to retrieve image metadata: gcloud compute images describe webserver-image APIs - Azure: GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName} - AWS: DescribeImages API. - Google Cloud: GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}. Cloud Management Portals - View metadata directly from the cloud provider's management console or dashboard. SIEM Integration - Aggregate metadata into SIEM platforms for centralized monitoring:

The execution of a text file that contains code via the interpreter. Data Collection Measures: - Windows Event Logs: - Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts. - Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (powershell.exe, wscript.exe, cscript.exe). - Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging. - Sysmon (Windows): - Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines. - Event ID 11 (File Creation) – Detects new script files written to disk before execution. - Endpoint Detection and Response (EDR) Tools: - Track script execution behavior, detect obfuscated commands, and prevent malicious scripts. - PowerShell Logging: - Enable Module Logging: Logs all loaded modules and cmdlets. - Enable Script Block Logging: Captures complete PowerShell script execution history. - SIEM Detection Rules: - Detect script execution with obfuscated, encoded, or remote URLs. - Alert on script executions using -EncodedCommand or iex(iwr).

Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - EDRs provide process telemetry, tracking execution flows and arguments. - Windows Event Logs: - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process. - Sysmon (Windows): - Event ID 1 (Process Creation): Provides detailed logging - Linux/macOS Monitoring: - AuditD (execve syscall): Logs process creation. - eBPF/XDP: Used for low-level monitoring of system calls related to process execution. - OSQuery: Allows SQL-like queries to track process events (process_events table). - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS. - Network-Based Monitoring: - Zeek (Bro) Logs: Captures network-based process execution related to remote shells. - Syslog/OSSEC: Tracks execution of processes on distributed systems. - Behavioral SIEM Rules: - Monitor process creation for uncommon binaries in user directories. - Detect processes with suspicious command-line arguments.

The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls. Data Collection Measures: - Endpoint Detection and Response (EDR) Tools: - Monitor process termination events. - Windows Event Logs: - Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process. - Event ID 7036 (Service Control Manager) – Monitors system service stops. - Sysmon (Windows): - Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships. - Linux/macOS Monitoring: - AuditD (execve, exit_group, kill syscalls) – Captures process termination via command-line interactions. - eBPF/XDP: Monitors low-level system calls related to process termination. - OSQuery: The processes table can be queried for abnormal exits.

Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: - Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts). - Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs). - SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources. - Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes. - System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies. This data component can be collected through the following measures: Configure Application Logging - Enable logging within the application or service. - Examples: - Web Servers: Enable access and error logs in NGINX or Apache. - Email Systems: Enable audit logging in Microsoft Exchange or Gmail. Centralized Log Management - Use log management solutions like Splunk, or a cloud-native logging solution. - Configure the application to send logs to a centralized system for analysis. Cloud-Specific Collection - Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications. - Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes). SIEM Integration - Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis. - Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes.

A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). This data component can be collected through the following measures: Windows - Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time. - Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663. - PowerShell: Real-time monitoring of file creation:Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} Linux - Auditd: Use audit rules to monitor file creation: auditctl -w /path/to/directory -p w -k file_creation - View logs: ausearch -k file_creation - Inotify: Monitor file creation with inotifywait: inotifywait -m /path/to/watch -e create macOS - Unified Logs: Use the macOS Unified Logging System to capture file creation events. - FSEvents: Use File System Events to monitor file creation: fs_usage | grep create Network Devices - NAS Logs: Monitor file creation events on network-attached storage devices. - SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols. SIEM Integration - Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting.

Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities. This data component can be collected through the following measures: Windows - Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes. - Windows Event Log: Enable "Object Access" auditing to monitor file deletions. - PowerShell: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'} Linux - Auditd: Use audit rules to capture file deletion events: auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion - Query logs: ausearch -k file_deletion - Inotify: Use inotifywait to monitor file deletions: inotifywait -m /path/to/watch -e delete macOS - Endpoint Security Framework (ESF): Monitor events like ESEVENTTYPEAUTHUNLINK to capture file deletion activities. - FSEvents: Track file deletion activities in real-time: fs_usage | grep unlink SIEM Integration - Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.

The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples: - USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter E:\ on a Windows machine. - Network Drive Mapping: A network share \\server\share is mapped to the drive Z:\. - Virtual Drive Creation: A virtual disk is mounted on /mnt/virtualdrive using an ISO image or a virtual hard disk (VHD). - Cloud Storage Mounting: Google Drive is mounted as G:\ on a Windows machine using a cloud sync tool. - External Storage Integration: An external HDD or SSD is connected and assigned /mnt/external on a Linux system. This data component can be collected through the following measures: Windows Event Logs - Relevant Events: - Event ID 98: Logs the creation of a volume (mount or new drive letter assignment). - Event ID 1006: Logs removable storage device insertions. - Configuration: Enable "Removable Storage Events" in the Group Policy settings: Computer Configuration > Administrative Templates > System > Removable Storage Access Linux System Logs - Command-Line Monitoring: Use dmesg or journalctl to monitor mount events. - Auditd Configuration: Add audit rules to track mount points. - Logs can be reviewed in /var/log/audit/audit.log. macOS System Logs - Unified Logs: Monitor system logs for mount activity: - Command-Line Tools: Use diskutil list to verify newly created or mounted drives. Endpoint Detection and Response (EDR) Tools - EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events. SIEM Tools - Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities.

Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples: - Querying Host-Based Firewalls: Using Windows PowerShell commands like Get-NetFirewallRule or Linux commands such as iptables -L or firewalld --list-all. - Cloud Firewall Rule Listing: Running commands like az network firewall list for Azure or aws ec2 describe-security-groups for AWS. - Using Management APIs: Leveraging APIs like Google Cloud Firewall's list API method or AWS's DescribeSecurityGroups API. Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging. - Enumerating with CLI Tools: Using CLI commands like gcloud compute firewall-rules list to extract firewall settings in Google Cloud. This data component can be collected through the following measures: Cloud Control Plane - Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for az network firewall commands. - AWS CloudTrail: Monitor calls to DescribeSecurityGroups or DescribeNetworkAcls APIs. Google Cloud Operations Suite: Collect logs for gcloud compute firewall-rules list or API calls to firewalls.list. Host-Based Firewalls - Windows Event Logs: Use PowerShell transcription logs to capture commands like Get-NetFirewallRule. - Linux Auditd: Track executions of commands like iptables -L or ufw status using auditd: auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum - macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools. SIEM Integration - Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity. Endpoint Detection and Response (EDR) - Use EDR tools to track enumeration commands or API calls performed on managed devices. CSPM Tools - Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations.

The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies. Data Collection Measures: - Windows Event Logs - Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys. - Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys. - Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed. - Sysmon - Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys. - Endpoint Detection and Response (EDR) Solutions - Provide telemetry on registry key access activities, especially when linked to suspicious processes.

Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., C:\, /mnt/drive) or mount point. Examples: - Removable Drive Insertion: A USB drive is inserted, assigned the letter F:\, and files are accessed. - Network Drive Mounting: A network share \\server\share is mapped to the drive Z:\. - External Hard Drive Access: An external drive is connected, mounted at /mnt/backup, and accessed for copying files. - System Volume Access: The system volume C:\ is accessed for modifications to critical files. - Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts. This data component can be collected through the following measures: Windows Event Logs - Relevant Events: - Event ID 4663: Logs access to file or folder objects. - Event ID 4656: Tracks a handle to an object like a drive or file. - Configuration: - Enable auditing for "Object Access" in Local Security Policy. - Use Group Policy for broader deployment: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access Linux System Logs - Command-Line Monitoring: Use the dmesg or journalctl command to monitor drive mount/unmount events. - Auditd Configuration: Add an audit rule for drive access: auditctl -w /mnt/drive -p rwxa -k drive_access - Review logs via /var/log/audit/audit.log. macOS System Logs - Command-Line Monitoring: Use diskutil list or fs_usage to monitor drive access and mount points. - Unified Logs: Query unified logs using log show for drive-related activities: log show --info | grep "mount" Endpoint Detection and Response (EDR) Tools - Use EDR solutions to monitor drive activities and collect detailed forensic data. SIEM Tools - Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access.

To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: - File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive. - File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory). - Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., /etc/passwd on Linux or System32 files on Windows). - File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server). - File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access). This data component can be collected through the following measures: Windows - Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name. - Sysmon: - Event ID 11: Logs file creation time changes. - Event ID 1 (process creation): Can provide insight into files executed. - PowerShell: Commands to monitor file access in real-time: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} Linux - Auditd: Monitor file access events using audit rules: auditctl -w /path/to/file -p rwxa -k file_access - View logs: ausearch -k file_access - Inotify: Use inotify to track file access on Linux: inotifywait -m /path/to/watch -e access macOS - Unified Logs: Monitor file access using the macOS Unified Logging System. - FSEvents: File System Events can track file accesses: fs_usage | grep open Network Devices - SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol. - NAS Logs: Collect logs from network-attached storage systems for file access events. SIEM Integration - Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis.

Initial construction of a new registry key within the Windows operating system. Data Collection Measures: - Windows Event Logs - Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys. - Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation. - Sysmon (System Monitor) for Windows - Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created.

The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments. Data Collection Measures: - Cloud Platform Logs (IaaS) - AWS CloudTrail Logs: Monitor API calls related to snapshot creation (CreateSnapshot). - Azure Monitor Logs: Track snapshot creation (Microsoft.Compute/snapshots/write). - Google Cloud Logging: Detect compute.disks.createSnapshot.

contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: - File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows. - Timestamps: Analyzing the creation, modification, and access timestamps of a file. - File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation. - File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds. - File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders. This data component can be collected through the following measures: Windows - Sysinternals Tools: Use AccessEnum or PSFile to retrieve metadata about file access and permissions. - Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed). - PowerShell: Use Get-Item or Get-ChildItem cmdlets: Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes Linux - File System Commands: Use ls -l or stat to retrieve file metadata: stat /path/to/file - Auditd: Configure audit rules to log metadata access: auditctl -w /path/to/file -p wa -k file_metadata - Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes. macOS - FSEvents: Use FSEvents to track file metadata changes. - Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs. - Command-Line Tools: Use ls -l or xattr for file attributes: ls -l@ /path/to/file SIEM Integration - Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis.

Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: - Content Modifications: Changes to the content of a configuration file, such as modifying /etc/ssh/sshd_config on Linux or C:\Windows\System32\drivers\etc\hosts on Windows. - Permission Changes: Altering file permissions to allow broader access, such as changing a file from 644 to 777 on Linux or modifying NTFS permissions on Windows. - Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows. - Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like touch in Linux or timestomping tools on Windows. - Software or System File Changes: Modifying system files such as boot.ini, kernel modules, or application binaries. This data component can be collected through the following measures: Windows - Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed). - PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: Get-Item -Path "C:\path\to\file" | Select-Object Name, Attributes, LastWriteTime Linux - File System Monitoring: Use tools like auditd with rules to monitor file modifications: auditctl -w /path/to/file -p wa -k file_modification - Inotify: Use inotifywait to watch for real-time changes to files or directories: inotifywait -m /path/to/file macOS - Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs. - Audit Framework: Configure audit rules to track file changes. - Command-Line Tools: Use fs_usage to monitor file activities: fs_usage -w /path/to/file SIEM Tools - Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data.

Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as cmd.exe, bash, zsh, PowerShell, or programmatic execution. Examples: - Windows Command Prompt - dir – Lists directory contents. - net user – Queries or manipulates user accounts. - tasklist – Lists running processes. - PowerShell - Get-Process – Retrieves processes running on a system. - Set-ExecutionPolicy – Changes PowerShell script execution policies. - Invoke-WebRequest – Downloads remote resources. - Linux Shell - ls – Lists files in a directory. - cat /etc/passwd – Reads the user accounts file. - curl http://malicious-site.com – Retrieves content from a malicious URL. - Container Environments - docker exec – Executes a command inside a running container. - kubectl exec – Runs commands in Kubernetes pods. - macOS Terminal - open – Opens files or URLs. - dscl . -list /Users – Lists all users on the system. - osascript -e – Executes AppleScript commands. This data component can be collected through the following measures: Enable Command Logging - Windows: - Enable PowerShell logging: Set-ExecutionPolicy Bypass, Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 - Enable Windows Event Logging: - Event ID 4688: Tracks process creation, including command-line arguments. - Event ID 4104: Logs PowerShell script block execution. - Linux/macOS: - Enable shell history logging in .bashrc or .zshrc: export HISTTIMEFORMAT="%d/%m/%y %T ", export PROMPT_COMMAND='history -a; history -w' - Use audit frameworks (e.g., auditd) to log command executions. Example rule to log all execve syscalls: -a always,exit -F arch=b64 -S execve -k cmd_exec - Containers: - Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands. Integrate with Centralized Logging - Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688: index=windows EventID=4688 CommandLine=* Use Endpoint Detection and Response (EDR) Tools - Monitor command executions via EDR solutions Deploy Sysmon for Advanced Logging (Windows) - Use Sysmon's Event ID 1 to log process creation with command-line arguments

Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations. *Data Collection Measures: * - Windows Event Logs - Event ID 7040 - Detects modifications to the startup behavior of a service. - Event ID 7045 - Can capture changes made to existing services. - Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering. - Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters. - Sysmon Logs - Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., HKLM\SYSTEM\CurrentControlSet\Services\). - Sysmon Event ID 1 - Can track execution of sc.exe or PowerShell Set-Service. - PowerShell Logging - Event ID 4104 (Script Block Logging) - Captures execution of commands like Set-Service, New-Service, or sc config. - Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands: - sc config <service_name> start= auto - sc qc <service_name> - Linux/macOS Collection Methods - Systemd Journals (journalctl -u <service_name>) Tracks modifications to systemd service configurations. - Daemon Logs (/var/log/syslog, /var/log/messages, /var/log/daemon.log) Captures changes to service state and execution parameters. - AuditD Rules for Service Modification - Monitor modifications to /etc/systemd/system/ for new or altered service unit files: auditctl -w /etc/systemd/system/ -p wa -k service_modification - Track execution of systemctl or service commands: auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod - OSQuery for Linux/macOS Monitoring - Query modified services using OSQuery’s processes or system_info tables: SELECT * FROM systemd_units WHERE state != 'running'; - macOS Launch Daemon/Agent Modification - Monitor for changes in: - /Library/LaunchDaemons/ - /Library/LaunchAgents/ - Track modifications to .plist files indicating persistence attempts.

Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples: - User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts). - Group Membership: Adding/removing members. - OU: Changing properties/permissions (e.g., delegation). - Service Account: Modifying SPNs or other attributes. - Object Attributes: Changes to passwords, logon hours, or control flags. Data Collection Measures: - Audit Policy: - Enable "Audit Directory Service Changes" (Success and Failure). - Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes. - Key Events: 5136 (modifications), 5163 (attribute changes). - Log Forwarding: - Use WEF to centralize logs for SIEM. - Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name. - Enable EDR Monitoring: - Detect changes to critical attributes (e.g., memberOf, logonHours). - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod). - Enable EDR Monitoring: - Detect changes to critical attributes (e.g., memberOf, logonHours). - Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).

The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples: - Windows Systems - Event ID: 4624 - Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP). - Account Name: JohnDoe - Source Network Address: 192.168.1.100 - Authentication Package: NTLM - Linux Systems - /var/log/utmp or /var/log/wtmp: - Log format: login user [tty] from [sourceip] - User: jane - IP: 10.0.0.5 - Timestamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/asl.log or unified logging framework: - Log: com.apple.securityd: Authentication succeeded for user 'admin' - Cloud Environments - Azure Sign-In Logs: - Activity: Sign-in successful - Client App: Browser - Location: Unknown (Country: X) - Google Workspace - Activity: Login - Event Type: successfullogin - Source IP: 203.0.113.55 This data component can be collected through the following measures: - Windows Systems - Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons. - PowerShell Example: Get-EventLog -LogName Security -InstanceId 4624 - Linux Systems - Log Files: Monitor /var/log/utmp, /var/log/wtmp, or /var/log/auth.log for logon events. - Tools: Use last or who commands to parse login records. - macOS Systems - Log Sources: Monitor /var/log/asl.log or Apple Unified Logs using the log show command. - Command Example: log show --predicate 'eventMessage contains "Authentication succeeded"' --info - Cloud Environments - Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: az monitor log-analytics query -w <workspace_id> --analytics-query "AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'" - Google Workspace: Enable and monitor Login Audit logs from the Admin Console. - Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events. - Network Logs - Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs). - Enable EDR Monitoring: - EDR tools monitor logon session activity, including the creation of new sessions. - Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices. - Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.

Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples: - AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule). - Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource. - Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function. - Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365. This data component can be collected through the following measures: Enable Cloud Audit Logging - AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail. - Azure: Use Azure Activity Logs to monitor resource changes and access actions. - Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes. - Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions. Centralize Log Storage - Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool. - Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud. Automate Alerts for Sensitive Changes - Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles. - AWS Example: Use AWS Config rules to detect and notify changes to critical services. - Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources. Enable Continuous Monitoring - Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples: - Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine. - AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call. - Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe. - Office 365 Metadata: Metadata about an Office 365 SharePoint site. This data component can be collected through the following measures: Enable Cloud Metadata APIs - Leverage APIs provided by cloud providers to query metadata about services. - AWS: Use AWS CLI or SDKs for DescribeInstances, DescribeBuckets, etc. - Azure: Use az resource list or SDKs. - Google Cloud: Use gcloud compute instances describe or related commands. - Office 365: Use Microsoft Graph API. Centralize Metadata in a Security Platform - Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool. - Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel. Enable Continuous Monitoring - Set up automated jobs or workflows to regularly query and update metadata. - Example: Use AWS Config to track resource configurations and changes over time. Configure Access and Logging - Enable logging for API queries to ensure access and usage of metadata are monitored. - Example: Use AWS CloudTrail to log API activity for metadata queries. Use Cloud Security Tools - Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations. - Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples: - Docker Example: docker create my-container, docker run --name=my-container nginx:latest - Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx - Cloud Container Services Example - AWS ECS: Task or service creation (RunTask or CreateService). - Azure Container Instances: Deployment of a container group. - Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs. This data component can be collected through the following measures: - Docker Audit Logging: Enable Docker daemon logging to capture create commands. Configure the Docker daemon to use a log driver such as syslog or json-file. - Kubernetes Audit Logs: Enable Kubernetes API server audit logging: - Cloud Provider Logs - AWS CloudTrail: Enable logging for ECS RunTask or CreateService events. - Azure Monitor: Enable activity logging for container group creation. - GCP Cloud Logging: Monitor API calls such as container.projects.zones.clusters.create. - SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.

The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples: - AWS: creating an EC2 instance using RunInstances API calls. - Azure, creating a VM through the Azure Resource Manager (ARM). - GCP, an instance.insert action recorded. Data Collection Measures: - AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch. - Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account. - GCP Audit Logs: Logs Explorer or BigQuery.

Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring. Data Collection Measures: - Network Flow Logs (Metadata Collection) - NetFlow - Summarized metadata for network conversations (no packet payloads). - sFlow (Sampled Flow Logging) - Captures sampled packets from switches and routers. - Used for real-time traffic monitoring and anomaly detection. - Zeek (Bro) Flow Logs - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc. - Host-Based Collection - Sysmon Event ID 3 – Network Connection Initiated - Logs process-level network activity, useful for detecting malicious outbound connections. - AuditD (Linux) – syscall=connect - Monitors system calls for network connections. auditctl -a always,exit -F arch=b64 -S connect -k network_activity - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs - Captures metadata for traffic between EC2 instances, security groups, and internet gateways. - Azure NSG Flow Logs / Google VPC Flow Logs - Logs ingress/egress traffic for cloud-based resources.

The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples: - Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system. - Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel. - Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes. - Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities. - Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks). This data component can be collected through the following measures: Windows - Sysmon Logs: - Event ID 6: Captures driver loading activity, including file path, hashes, and signature information. - Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events - Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events. Linux - Auditd: Configure audit rules to capture driver loading events: auditctl -w /lib/modules/ -p rwxa -k driver_load - Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: dmesg | grep "module" - Syslog or journald: Review logs for module insertion or removal activities. macOS - Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads: log show --predicate 'eventMessage contains "kext load"' - Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework. SIEM Tools - Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk). - Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers. EDR Solutions - Use EDR tools to detect and alert on anomalous driver loading activity.

The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples: - Google Cloud Platform (GCP): Starting an instance through instance.start API activity. - AWS: Logging of StartInstances in AWS CloudTrail for EC2 instances. - Azure: Microsoft.Compute/virtualMachines/start entries indicate a VM instance being started. Data Collection Measures: - Google Cloud Platform: Enable GCP Audit Logs for Compute Engine. - Log Event: Look for instance.start entries in Cloud Logging. - Amazon Web Services (AWS): AWS CloudTrail. - Log Event: Search for StartInstances events associated with EC2. - Microsoft Azure: Azure Activity Logs. - Log Event: Filter for Microsoft.Compute/virtualMachines/start operations.

Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples: - AWS: instance deletion involves the TerminateInstances API call, which is recorded in CloudTrail logs. - Azure: VM deletion can be monitored via Azure Activity Logs, showing the Microsoft.Compute/virtualMachines/delete operation. - GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs. *Data Collection Measures: - AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch. - Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account. - GCP Audit Logs: Logs Explorer or BigQuery.

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples: AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information. This data component can be collected through the following measures: Enable Cloud Activity Logging - Ensure cloud service logs are enabled for API calls and resource usage. - Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries. Centralize Logs in a SIEM - Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel). - Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration. Use Native Cloud Security Tools - Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center. - Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user. Implement Network Flow Logging - Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity. - Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane. API Access Monitoring - Monitor API keys and tokens used for enumeration to identify misuse or compromise. - Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples: - Kerberos TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authentication Events - LDAP Bind Requests Data Collection Measures: - Security Event Logging: - Enable "Audit Kerberos Authentication Service" or "Audit Kerberos Service Ticket Operations." - Captured Events: IDs 4768, 4769, 4624. - Windows Event Forwarding (WEF): Forward domain controller logs to SIEM. - SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis. - Kerberos Debug Logging: - Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. - Set DWORD LogLevel to 1. - Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues. - Enable EDR Monitoring: - Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access).

Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples: - User Account Creation: New user account. - Group Creation: New security/distribution group. - OU Creation: New organizational unit. - Service Account Creation: New service account for automation or malicious tasks. - Trust Object Creation: Trust relationship with another domain. Data Collection Measures: - Audit Policy: - Enable "Audit Directory Service Changes" (Success and Failure). - Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes. - Key Event: Event ID 5137 (object creation). - Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk). - Enable EDR Monitoring: - Track processes that create new accounts or modify AD objects. - Correlate object creation with suspicious commands (e.g., net user /add).

This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples: - AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities. - Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions. - Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes. - SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior. This data component can be collected through the following measures: Enable and Monitor Cloud Service Logging - Ensure logging is enabled for all cloud services, including administrative actions like StopLogging. - Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule. API Monitoring - Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms. - Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users. SIEM Integration - Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation. - Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel. Cloud Security Posture Management (CSPM) Tools - Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging. - Example: Set alerts for changes to logging configurations in CSPM dashboards. Configure Alerts in Cloud Platforms - Create native alerts in cloud platforms to detect service stoppages. - Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked.

"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples: - Docker Example: docker ps, docker ps -a - Kubernetes Example: kubectl get pods, kubectl get deployments - Cloud Container Services Example - AWS ECS: API Call: ListTasks or ListContainers - Azure Kubernetes Service: API Call: List pod or container instances. - Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers. This data component can be collected through the following measures: - Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands. - Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services. - Cloud Provider Logs - AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks. - Azure Monitor: Enable activity logging to track container-related queries. - GCP Cloud Logging: Track API events involving container enumerations or deployments. - SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis.

The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling. Data Collection Measures: - Cloud-Based Logging & Monitoring - AWS CloudTrail - CreateVolume – Logs the creation of new Amazon Elastic Block Store (EBS) volumes. - RunInstances – Can be correlated to detect automatic volume provisioning. - Azure Monitor & Log Analytics - Microsoft.Compute/disks/write – Captures creation of new managed/unmanaged disks. - Microsoft.Storage/storageAccounts/write – Detects creation of new Azure Blob Storage volumes. - Google Cloud Logging (GCP) - compute.disks.insert – Tracks new persistent disk creation. - compute.instances.attachDisk – Logs attachment of a volume to a running VM. - OpenStack Logs - volume.create – Captures new storage volume provisioning. - cinder.volume.create – Logs OpenStack Cinder block storage creation. - Host-Based & SIEM Detection - Linux/macOS System Logs - /var/log/syslog & /var/log/messages – Detects new mount points or attached storage. - dmesg | grep "new disk" – Identifies kernel messages for volume attachment. - AuditD: Tracks mkfs (filesystem creation) for new volume provisioning. - Windows Event Logs - Event ID 1006 (Storage Management Events) – Captures disk volume creation. - Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares.

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) Data Collection Measures: - Windows: - Event ID 5140 – Network Share Object Access Logs every access attempt to a network share. - Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions. - Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares. - Enable Audit Policy for Network Share Access: auditpol /set /subcategory:"File Share" /success:enable /failure:enable - Enable PowerShell Logging to Detect Unauthorized SMB Access: Set-ExecutionPolicy RemoteSigned - Restrict Network Share Access with Group Policy (GPO): Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment Set "Access this computer from the network" to restrict unauthorized accounts. - Linux/macOS: - AuditD (open, read, write, connect syscalls) Detects access to NFS, CIFS, and SMB network shares. - Lsof (lsof | grep nfs or lsof | grep smb) Identifies active network share connections. - Mount (mount | grep nfs or mount | grep cifs) Lists currently mounted network shares. - Enable AuditD for SMB/NFS Access: auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access - Monitor Active Network Shares Using Netstat: netstat -an | grep :445 - Endpoint Detection & Response (EDR): - Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity.

Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples: - HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible. - DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information. - TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata. Data Collection Measures: - Network Traffic Monitoring: - Deploy packet capture tools like Wireshark, tcpdump, or Suricata to log both headers and body content of response traffic. - Use network appliances like firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) with logging enabled to capture scan responses. - Cloud Logging Services: - AWS VPC Flow Logs: Capture metadata about network flows, including source and destination, protocol, and response codes. - GCP Packet Mirroring: Use mirrored packets to analyze responses. - Azure NSG Flow Logs: Record network traffic flow information for analysis. - Specific Tools: - Zmap or Masscan: Can perform internet-wide scans and collect response content for analysis. - Nmap: Use custom scripts to capture and log detailed response data during scans.