GCP

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known Linux OS package vulnerabilities in various containers (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS).

Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for known software vulnerabilities and various system artifacts that could potentially be used to execute adversary-controlled code. Due to the medium threat protection coverage and temporal factor, this control was scored as partial.

Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for vulnerabilities that could potentially be used to escalate privileges, such as default accounts with root permissions in Docker containers. Due to the medium threat protection coverage and scan results being available 48 hours after completion, this control was scored as partial.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database). Due to the medium threat detection coverage and temporal factor, the control was scored as partial.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, this security solution can detect known vulnerabilities in Docker containers. This information can be used to detect images that deviate from the baseline norm, and could indicate a malicious implanted images in the environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.

This control can be used to detect adversaries that may be trying to log into cloud services.

This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using cloud native methods such as Secure Shell (SSH).

Google Security Operations is able to detect an alert based on system events, such as remote connections.

Google Security Operations can can be configured to detect calls to functions like GetProcAddress() and LoadLibrary().

Google Cloud IDS can detect network-based threats like malicious software.

Google Security Operations can can be configured to detect suspicious syntax or characters in commands.

Google Security Operations is able to trigger an alert based on creation or changes of registry keys and run keys found on Windows platforms.

Google Cloud IDS can detect network-based threats like malicious software.

Google Cloud IDS can detect network-based threats like malicious software.

Google Cloud IDS can detect network-based threats like malicious software.

Google Cloud IDS can detect network-based threats like malicious software.

Google Security Operations is able to trigger an alert based on abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).

Google Security Operations is able to trigger an alert based on abnormal API calls such as fork().

Google Security Operations is able to trigger an alert based on abnormal API calls.

Google Security Ops is able to trigger an alert based on system events of interest, for example: suspicious Entra ID login access and usage. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.

Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.

Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.

Google Security Operations is able to trigger an alert based on changes account device registrations.

SCC ingests Cloud Audit logs to detect when permissions are changed in a privileged group (i.e., modify group to public) with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

Google Security Operations triggers an alert based on common command line arguments for DFSVC.EXE which is used by adversaries to execute code through ClickOnce applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral

Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.

Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.

Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.

Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.

Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.

Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.

Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.

Cloud NGFW can filter traffic and detect these socket filters before they get attached. However, if the threat is past the firewall, those measures are unable to stop the filters, leading to the score of partial.

Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM generates encryption keys in dedicated hardware which is inaccessible to the hypervisor, protecting against Exploitation for Credential Access from outside the VM.

The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as CRM tools, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.

The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as messaging tools, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.

The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as SyncAppvPublishingServer, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.

Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral

Google Security Operations can detect the creation of new processes, potentially revealing the existence of a mutex. This is rated as partial due to potential guardrails against detection impacting the reliability of the tool.

Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.

SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

Google Security Operations is able to trigger alerts based off command execution (e.g. reg.exe or termsrv.dll).

This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. The de-identified service lets you obfuscate instances of sensitive data before they can be transmitted for sharing.

Google Security Operations is able to trigger alerts based off executed commands like docker run or podman run.

Google Security Operations is able to trigger alerts based on executed commands and arguments that may be related to abuse of installer packages.

Google Security Operations is able to trigger alerts based on executed commands that create or modify files where the udev rules are located.

Google Security Ops is able to trigger an alert based on when excessive permissions are assigned to an Entra ID application or privileged roles are assigned to user accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral

Google Security Operations can alert based on processes like AuthorizationExecuteWithPrivileges.

Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM can be used with Google Kubernetes Engine Nodes to encrypt data in-use for these workloads.

Google Cloud's HSM may protect against adversary's attempts to leverage passwords and unsecure credentials found in files on compromised systems.Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.

Google Security Operations can prevent those with insufficient privileges from accessing the secrets manager, as well as detect modifications to user privileges that may allow them access. This was ranked as partial as it cannot prevent a compromised account with those permissions from accessing the secrets manager.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.

The audit capabilities within Google Security Operations Center may be able to detect if Multi-Factor Authentication was disabled, allowing that change to be reverted. This was scored as partial because there is still a window of time in which an adversary can make use of the disabled MFA.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.

This control may mitigate against Adversary-in-the-Middle by providing certificates for internal endpoints and applications to use with asymmetric encryption. This control may also provide authentication for user identity for VPN or zero trust networking.

Cloud NGFW can be configured with firewall rules to mitigate DHCP Spoofing.

Google Security Operations is able to trigger alerts based off inovcation of utilities (like auditctl).

Google Security Operations is able to trigger alerts based off command-line arguments and suspicious system processes.

Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.

Google Security Operations can be configured to detect if a webhook-creating command is run.

Google Search Operations can alert based on Windows API calls such as WriteProcessMemory() and NtQueryInformationProcess().

Google Security Operations is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral

Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.

SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.

Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.

Google Security Operations can be configured to detect on Google App Scripts.

This control can be used to mitigate cloud account creation.

This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.

Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against Gather Victim Org Information by alerting on custom data leaks. Since this control must depend on accessible sources for dumps, it does not protect against data that has been collected for a campaign but never posted, so the score is partial.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning.

The Identity Platform can establish limits and quotas for MFA.

Google Security Operations is able to trigger alerts based off API calls (such as IsDebuggerPresent()).

Google Security Operations is able to trigger alerts based on executed commands that modify files where plists are typically located.

Google Security Operations can be configured to detect on Google App Scripts.

GCP Identity and Access Management allows admins to set permissions based on accounts and account types.

Google Security Operations is able to trigger alerts based on executed commands that access where certificates are typically stored (e.g. %APPDATA%\Microsoft\SystemCertificates\My\Certificates\).

IAM can be configured to minimize permissions to users and prevent unnecessary access to the gcloud CLI.

Google Security Operations is able to trigger alerts based off API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.

Google Security Operations is able to trigger alerts based off use of utilities used to enumerate logs (like wevutil.exe).

IAM can be configured to minimize permissions to users and prevent unnecessary access to logs.

Cloud VPN encrypts data in transit, restricting an adversary's ability to inject content.

IAM can be configured to minimize permissions to users and limit users' ability to add, delete, or modify resource groups.

Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges. Examples of credential access system events include: (e.g.,"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = "HTool/WCE" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral

Google SecOps is able to detect suspicious command-line process attempted to escalate privileges. For example: access credential material stored in the procecss memory of the Local Security Authority Subsystem Service (LSASS) on Windows machines (e.g., lsass\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Google SecOps is able to trigger an alert based on process creations and attacks against the NTDS database on Windows platforms (e.g., execution of "ntdsutil.exe") This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Google SecOps is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over other network mediums. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/suspicious

SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems (e.g., rootkit). This technique was graded as significant due to the real-time temporal factor.

This control is able to mitigate the use of rootkits that target any portion of the boot process, such as malicious modification of the Master Boot Record or UEFI. This control does not mitigate rootkits that exist in the kernel or userland.

Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., "net config", "ipconfig.exe", "nbtstat.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall.

Google Security Ops attempts to identify remote systems via ping sweep. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral

Google Security Ops typically filters external network traffic and therefore can be effective for preventing external remote system discovery. Activity originating from inside the trusted network is not mitigated.

VPC security perimeters can segment private resources to deny traffic based on organizational policy.

Cloud IDS spyware signatures are able to detect data exfiltration attempts over command and control communications, which is often used by adversaries to compromise sensitive data. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Cloud IDS's advanced threat detection technology which continually updates to detect against the latest known variations of these attacks.

Google Security Ops is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., ".*\\bitsadmin\.exe"). This mapping is scored as minimal based on low or uncertain detection coverage factor for this technique. https://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

Advanced Protection Program enables the use of a security key for multi-factor authentication. Implementing MFA on remote service logons prevents adversaries from using valid accounts to access those services.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.

Google Security Ops is able to detect an alert based on system events, such as remote service connections. This mapping was scored as minimal based on low or uncertain detection coverage factor of this technique. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows

Chronicle is able to trigger an alert for net use commands detected for SMB/Windows admin shares (e.g., " net use.* (C|ADMIN|IPC)$"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral

Chronicle is able to trigger an alert based on accounts and authorized device access to a certain IP range (e.g., "Attempted Lateral Movement via SSH metadata pivoting"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit

This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using Secure Shell (SSH).

Google Security Ops is able to trigger an alert based off suspicious command line arguments or processes that indicate obfuscation techniques to evade cyber defenses. For example, when cmd.exe has been obfuscated. This mapping was scored as minimal based on low or uncertain detection coverage factor of the technique. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_cmd_exe_obfuscation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ursnif_trojan_detection__cmd_obfuscation.yaral

Google Security Ops can trigger an alert based on delivery of encrypted or encoded payloads with uncompiled code. This mapping was scored as minimal based on low detection coverage factor of the technique. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/encoded_iex.yaral

Google Security Operations is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about system users (e.g., primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_owner_user_discovery__sysmon_windows_logs.yaral

Google Security Operations is able to trigger an alert based on Windows starting uncommon processes (e.g., Detects Winword starting uncommon sub process MicroScMgmt.exe used for CVE-2015-1641). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/exploit_for_cve_2015_1641.yaral

Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.

Google Security Operations can trigger an alert based on malware masquerading as legitimate process for example, Adobe's Acrobat Reader (e.g., re.regex($selection.target.process.file.full_path, `.*\\AcroRD32\.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/detects_malware_acrord32_exe_execution_process.yaral

Google Security Ops is able to trigger an alert based on registry modifications related to custom logon scripts. (e.g., "REGISTRY_CREATION", ""REGISTRY_MODIFICATION", "HKCU|HKEY_CURRENT_USER"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral

Google Security Ops triggers an alert based on suspicious connections (e.g., Netlogon connections). https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/system/vulnerable_netlogon_secure_channel_connection_allowed.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/logon_scripts__userinitmprlogonscript.yaral

Backup and DR-Actifio GO provides encryption in transit for data traveling between Actifio appliances and other systems during backup and recovery operations. Data is encrypted while it travels across the network, providing protection against Network Sniffing since adversaries would be unable to read encrypted traffic. However, this is only relevant when traffic is being backed up, which is a small amount of the time. This results in a score of Minimal.

This control may mitigate against Network Sniffing by providing certificates for internal endpoints and applications to use with asymmetric encryption. This control helps protect the issuing Certificate Authority with the use of Google's IAM and policy controls.

Cloud VPN enables traffic traveling between the two networks, and it is encrypted by one VPN gateway and then decrypted by the other VPN gateway. This action protects users' data as it travels over the internet. This control may prevent adversaries from sniffing network traffic.

This control provides secure methods for accessing secrets and passwords. This can reduce the incidents of credentials and other authentication material being transmitted in clear-text or by insecure encryption methods. Any communication between applications or endpoints after access to Secret Manager may not be secure.

Using Web Security Scanner, SCC is able to detect when passwords are transmitted in cleartext. Adversaries may use this traffic mirroring services to sniff traffic and intercept unencrypted credentials. This technique was graded as partial due to the low protect coverage when transmitting passwords in clear-text and there is more information that could be gathered during a network sniffing attacks.

Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.

Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral

Cloud Armor filters external network traffic and therefore can be effective for preventing external network service scanning. Network service scanning originating from inside the trusted network is not mitigated.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.

VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.

Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.

Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.

Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate exfiltration attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral

Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about network connections (e.g., "net config", "net use", "net file"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral

Google Security Ops is able to trigger alerts based on system events, such as: USB device detected. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral

The Cloud Endpoints capability can prevent exfiltration over USB by disabling USB file transfers on enrolled devices through features like device control.

Google Security Ops is able to trigger an alert based on events, such as "new USB device is connected to a system". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral

Google Security Ops is able to trigger an alert based on suspicious modifications to the infrastructure, such as: new task scheduling to execute programs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/a_scheduled_task_was_created.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral

Google Security Ops is able to trigger an alert based on scheduled tasks using the command line (e.g., "schtasks /create"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral

Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.

GKE provides the ability to audit against a set of recommended benchmark [Center for Internet Security (CIS)]. This control may avoid privileged containers and running containers as root.

Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral

Often used by adversaries to escalate privileges and automatically run on Windows systems, Palo Alto Network's antivirus signatures is able to detect malware found in portable executables (PE). Although there are ways an attacker could avoid detection to deliver a malicious PE file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral

Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about running processes on Windows machines (e.g., "tasklist.exe", "Get-Process.*"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_process_enumeration__sysmon_windows_logs.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/fake_zoom_installer_exe__devil_shadow_botnet.yaral

Google Security Ops is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.

Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to execute commands in compromised systems. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.

Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. (e.g., `.*/config/keystore/.*\.js.*). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral

Google Security Ops is able to trigger alert based on suspicious command line behavior that could indicate remote code exploitation attempts (e.g., detect exploits using child processes spawned by Windows DNS processes). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/cve_2020_1350_dns_remote_code_exploit__sigred___via_cmdline.yaral

Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

Group permissions and settings are inherited using the IAM roles that are specifically granted to that group by admins. This control provides protection of possible adversaries that may determine which user accounts and groups memberships are available in cloud accounts. Received a score of Minimal because it only covers one of the sub-techniques.

Group permissions and settings are inherited using the IAM roles that are specifically granted to that group by admins. This control provides protection of possible adversaries that may determine which user accounts and groups memberships are available in cloud accounts. Received a score of Minimal because it only covers one of the sub-techniques.

Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.

Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

Google Security Ops is able to trigger an alert based on system events, such as deletion of cloud audit logs. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral

Google Security Ops is able to trigger an alert based off system processes that indicate when backup catalogs are deleted from a windows machine. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/backup_catalog_deleted.yaral

Google Security Ops is able to trigger an alert based off modifications to file time attributes to hide changes to existing files on Windows machines. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/file_creation_time_changed_via_powershell.yaral

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.

Google Security Ops is able to trigger an alert based on suspicious modifications to the network infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_vpc_network_changes.yaral

Chrome Enterprise Premium provides checks for sensitive data and protection from content that may contain malware. This also enables certain files to be sent for analysis, and in return the admin can then choose to allow or block uploads and downloads for those scanned and unscanned files. End users can also be prevented from accessing pages specified by a list of URL patterns.

Google Security Ops is able to trigger an alert based on system events of interest, for example: detection of the Sunburst C2 channel used as backdoor access in the SolarWinds compromise. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral

SCC is able to ingest Cloud DNS logs and detect DNS queries that could indicate active Log4j vulnerable to remote code execution. Because of the near-real time temporal factor for detection this control was graded as significant.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and container images.

Google Security Ops is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool. Note: This rule requires installation of auditbeat on the host machine to properly function. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.

The Cloud Endpoints capability provides support for multiple authentication methods, including API keys and Google ID tokens. Implementing multi-factor authentication (MFA) across account types, including local, domain, and cloud accounts, can prevent unauthorized access even if credentials are compromised.

This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.

GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this was scored as partial.

Google Security Ops is able to trigger an alert based on RDP logons from non-private IP ranges. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/security/remote_desktop_from_internet__via_audit.yaral

This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.

IAP applies the relevant IAM policy to check if the user is authorized to access the requested resource. If the user has the IAP-secured Web App User role on the Cloud console project where the resource exists, they're authorized to access the application. This control can mitigate against adversaries that try to obtain credentials of accounts, including cloud accounts.

Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.

Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Policy Intelligence role recommendations generated by IAM Recommender help enforce least privilege principals to ensure that permission levels are properly managed.

Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

This control is able to mitigate against abuse of compromised valid accounts by restricting access from those accounts to resources contained within the VPC perimeter the account belongs to. Resources and services contained in other VPC networks also cannot be accessed by user accounts that are not within the VPC network perimeter.

GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.

SCC is able to detect when default service accounts are used. Adversaries may use this attack as a means to gain initial access, privilege escalation, or defense evasion. This subtechnique was graded as significant due to the high detect coverage and near-real time temporal factor.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

This control can be used to mitigate malicious attacks of domain accounts by implementing multi-factor authentication techniques or password policies.

Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.

This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.

This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.

GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.

This control protects against malicious use of cloud accounts and gaining access to them. This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.

Protects access to applications hosted within cloud and other premises.

Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.

Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Policy Intelligence role recommendations generated by IAM Recommender help enforce least privilege principals to ensure that permission levels are properly managed.

ReCAPTCHA Enterprise allows users to configure Multifactor Authentication (MFA) to verify user's identity by sending a verification code by email or SMS (known as an MFA challenge). When ReCAPTCHA Enterprise assesses that user activity to exceeds a predetermined threshold (by the developer), it can trigger an MFA challenge to verify the user. This increases the likelihood that a compromised account will be prevented from impacting the system. Since ReCAPTCHA Enterprise does not require a MFA challenge for all user activity, it has been given a rating of Partial.

Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

SCC ingests Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence and harvest sensitive data. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

Google Security Ops is able to trigger an alert based on suspicious network behavior seen in malware RAT, such as Netwire activity via WScript or detect the utilization of wmic.exe in order to obtain specific system information. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_enumeration_via_wmi.yaral

Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral

This control protects against adversaries gaining access to accounts within a specific environment or determining which accounts exists to follow on with malicious behavior. The usage of GCP IAM enables admins to grant access to cloud resources at fine-grained levels, possibly preventing adversaries of malicious use of cloud accounts and gaining access to them. This control receives a minimal score since it only covers one of the few sub-techniques.

Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.

This control can be used to limit permissions to discover user accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.

Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.

Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques (e.g., "net user /domain", "C:\\Windows\\System32\\net.exe", "C:\\Windows\\System32\\query.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral

This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery. This control receives a minimal score since it only covers one of the few sub-techniques.

Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of cloud accounts.

This control can be used to limit permissions to discover cloud accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.

This control may mitigate adversaries that attempt to get a listing of cloud accounts, such as use of calls to cloud APIs that perform account discovery.

Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of Cloud Armor network allow and block lists. However this can be circumvented by other techniques.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques (2 of 4) and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against unauthorized users from accessing and manipulating accounts to retain access.

This control may be able to detect when adversaries use cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.

Google Security Ops is able to trigger an alert to ensure multi-factor authentication is enabled for all non-service and administrator accounts. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_multifactor_authentication.yaral

Privileged roles and permissions can be granted to entire groups of users by default, and admins can control unwanted access by utilizing machine learning to recommend smart access control permissions within an organization. This control can help mitigate adversaries from gaining access to unwanted account.

Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.

Utilization and enforcement of MFA for user accounts to ensure that IAM policies are implemented properly shall mitigate adversaries so that they may not gain access to user accounts. Enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need.

GCP offers Identity and Access Management (IAM), which lets admins give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This allows configuration of access controls and firewalls to limit access to critical systems and domain controllers.

VPC further segments the environment by providing configurable granular access controls which help limit user communications to critical systems.

This control may be able to detect when adversaries use cloud accounts to elevate privileges through manipulation of IAM or access policies for the creation of additional accounts. This monitoring can be fine tuned to specific assets, policies, and organizations.

Google Security Ops is able to trigger an alert based on changes to Cloud Storage IAM permissions. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_iam_changes.yaral

Privileged roles and permissions can be granted to entire groups of users by default, and admins can control unwanted access by utilizing machine learning to recommend smart access control permissions within an organization. This control can help mitigate adversaries from gaining access to unwanted account.

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. IAP lets you enforce access control policies for applications and resources. This control may help mitigate against adversaries gaining access through cloud account by the configuration of access controls and firewalls, allowing limited access to systems.

Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.

Utilization and enforcement of MFA for user accounts to ensure that IAM policies are implemented properly shall mitigate adversaries so that they may not gain access to user accounts. Enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need.

GCP offers Identity and Access Management (IAM), which lets admins give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This allows configuration of access controls and firewalls to limit access to critical systems and domain controllers.

SCC ingests Cloud Audit logs to detect when permissions are changed in a privileged group (i.e., modify group to public) with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.

VPC further segments the environment by providing configurable granular access controls which help limit user permissions to communicate with critical systems.

Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.

Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.

Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels via files.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified.

Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\Windows\\System32\\curl.exe). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral

SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.

Google Security Ops is able to trigger an alert for suspicious events related to the API (e.g., "API keys created for a project"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_no_project_api_keys.yaral

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.

Cloud Endpoints allows administrators to set up login challenges, where a user attempting to access an API might be prompted to complete an additional verification step (like entering a code sent to their phone or answering a security question) before being granted access.

This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.

Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signature is able to detect multiple repetitive occurrences of a condition in a particular time that could indicate a brute force attack (e.g., failed logins). Although there are ways an attacker could brute force a system while avoiding detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.

SCC uses syslog to detect successful brute force attacks [via SSH] on a host. Because of the near-real time temporal factor when detecting cyber-attacks this control was graded as significant.

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.

This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.

Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.

This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.

Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.

This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.

Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.

Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.

This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.

Password Checkup extension for Chrome displays a warning whenever a user signs in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. With reCAPTCHA Enterprise, you can identify credential stuffing attacks by utilizing Password Checkup to detect password leaks and breached credentials. Developers can factor this information into their score calculation for score-based site keys to help identify suspicious activity and take appropriate action.

Google Security Ops is able to trigger an alert based on events of interest, such as: "Command-line execution of the Windows Registry Editor". This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/command_line_regedit.yaral

Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.

Google Security Ops triggers an alert based on common command line arguments used by adversaries to proxy execution of code through trusted utilities. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detection_of_winrs_usage.yaral

Google Security Ops triggers an alert based on common command line arguments for msbuild.exe which is used by adversaries to execute code through a trusted Windows utility. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques. This technique was scored as minimal based on low or uncertain detection coverage factor. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral

Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques for commands &/or C&C traffic. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral

Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.

Chrome Enterprise Premium implements a zero trust model which restricts access to resources unless all rules and conditions are met. Instead of securing resources at the network-level, access controls are instead applied to individual devices and users.

This control may mitigate an adversary's ability to leverage external-facing remote services through multi-factor authentication of service account credentials.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).

This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.

SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.

Google Security Ops is able to trigger an alert based on modifications to user access controls. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/sysmon/suspicious_command_line_contains_azure_tokencache_dat_as_argument__via_cmdline.yaral

Google Security Ops is able to trigger an alert based on successful and failed changes to SID-History. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral

VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.

Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling Advanced Protection Program for all users at an organization can prevent adversaries from maintaining access via created accounts because any accounts they create won't have the required security keys for MFA.

Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts on Windows machines. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral

Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.

Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts in Windows AD environments (e.g., event 4720). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral

Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems and accounts.

Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.

Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.

ReCAPTCHA Enterprise can implement a number of mitigations to prevent the automated creation of multiple accounts such as adding checkbox challenges on pages where end users need to enter their credentials and assessing user activity for potential misuses on all pages where accounts are created. Since this control doesn't prevent the manual creation of accounts, it has been given a rating of Partial.

SCC ingests admin activity from Cloud Audit logs to detect when new service accounts are created. This security solution protects against potential adversary generated accounts used for initial access or to maintain persistence. Because of the temporal factor to detect this attack the control was graded as significant.

Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX). Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Google Security Ops is able to trigger an alert based off suspicious system processes, for example: command line executable started from Microsoft's Office-based applications. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral

Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office templates Although there are ways an attacker could deliver a malicious template, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Google Security Ops is able to trigger an alert based off suspicious system processes, for example: detects Windows command line executable started from Microsoft's Word or Excel (e.g.., ".*\\WINWORD\.EXE", ".*\\EXCEL\.EXE"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/office_macro_starts_cmd.yaral

Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office add-ins. Although there are ways an attacker could deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because Cloud NGFW can block this traffic or restrict where it can go to.

Chrome Enterprise Premium offers sadditional protections against compromised websites by including features like URL filtering, threat detection, and data loss prevention (DLP) controls.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.

Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes. Google Cloud Armor detects malicious requests and drops them at the edge of Google's infrastructure.

Often used by adversaries to take advantage of software weaknesses in web applications, Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that attempt to read or modify a system database using common web hacking techniques (e.g., OWASP top 10). Although there are ways an attacker could leverage web application weaknesses to affect the sensitive data and databases, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Google Security Ops triggers an alert based on suspicious behavior, such as exploitation attempts against web servers and/or applications (e.g., F5 BIG-IP CVE 2020-5902). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral

When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. IAP secures authentication and authorization of all requests to App Engine, Cloud Load Balancing (HTTPS), or internal HTTP load balancing. With adversaries that may try to attempt malicious activity via applications, the application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.

Using Web Security Scanner, SCC is able to detect and provide guidance for web application security risks (e.g., Cross-Site Scripting, SQL injection, Server Side Request Forgery, Insecure Deserialization). Adversaries may exploit these web app weaknesses in a cloud-based environment to compromise the underlying instance or container. This technique was graded as significant due to the high detect coverage against varying forms of this attack.

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

VPC security perimeters can segment private resources to further reduce user access and operate in a logically separate hosting environment.

Google Security Ops is able to trigger alerts based on unusual file write events by 3rd party software, specifically SolarWinds executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/suspicious/unusual_location_svchost_write.yaral

Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable ".*\\solarwinds\.businesslayerhost\.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral

Access Transparency provides visibility into Google's access to customer data in the form of audit logs which may expose and detect malicious access of customer data and resources by compromised Google personnel accounts. The trusted relationship between Google personnel who administer and allow customers to host their workloads on the cloud may be abused by insider threats or compromise of Google.

Google Security Ops is able to trigger an alert based off suspicious event IDs that indicate adversary's abuse of Windows system utilities to perform indirect command-line arguments or code execution. For example: malicious usage of bash.exe using Windows sub-system for Linux (e.g., WSL). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/lolbas_wsl_exe__via_cmdline.yaral

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.

Google Security Ops is able to trigger an alert based on Antivirus notifications that report an exploitation framework (e.g., Metapreter, Metasploit, Powersploit). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_service_creation_by_metasploit_on_victim_machine.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/exploit_framework_user_agent.yaral

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral

Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.

Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in portable document formats (PDF). Although there are ways an attacker could modify the signature and deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.

Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.

Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect download attempts or traffic generated from malicious programs designed to mine cryptocurrency without the user's knowledge. Although there are ways an attacker could modify the attack to avoid detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these crypto-mining attacks

SCC is able to detect a potentially malicious binary being executed that was not part of the original container image. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.

Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the Cloud NGFW does not do anything to protect against traffic signaling among hosts within the network and behind the firewall.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.

Google Security Ops is able to trigger an alert based on suspicious system events IDs (e.g., anonymous users changing machine passwords). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/security/anonymous_user_changed_machine_password.yaral

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and images stored in the repository, which adversaries may target to establish persistence while evading cyber defenses.

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

Google Security Ops triggers alerts based on credential exploit attempts (e.g., read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear-text)). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/cve_2018_13379_fortigate_ssl_vpn_arbitrary_file_reading.yaral

Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.

VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.

MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.

MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.

Using Web Security Scanner, SCC is able to detect repositories (e.g., Git or SVN) that are exposed to the public. Adversaries may use this lapse in security configuration to collect information about the target. Because of the near-real time temporal factor to detect against this cyber-attack this was graded as significant.

Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral

Google Security Ops is able to trigger an alert when adversaries attempt to abuse Microsoft's Connection Manager Profile Installer to proxy the execution of malicious code. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/cmstp_exe_execution_detector__sysmon_behavior.yaral

Google Security Ops is able to trigger an alert based on using MSHTA to call a remote HTML application on Windows (e.g., "mshta.+http"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1218_005_windows_mshta_remote_usage.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/mshta_spwaned_by_svchost_as_seen_in_lethalhta__sysmon.yaral

Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral