| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| security_command_center | Security Command Center | detect | significant | T1204.003 | Malicious Image |
Comments
SCC is able to detect a potentially malicious binary being executed that was not part of the original container image. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1525 | Implant Internal Image |
Comments
SCC is able to detect modifications that were not not part of the original container image. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1133 | External Remote Services |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "reverse shell"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1505.003 | Web Shell |
Comments
SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., "web shell"). Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1105 | Ingress Tool Transfer |
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1059.004 | Unix Shell |
Comments
SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to execute commands in compromised systems. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1071.004 | DNS |
Comments
SCC is able to ingest Cloud DNS logs and detect DNS queries that could indicate active Log4j vulnerable to remote code execution. Because of the near-real time temporal factor for detection this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1110 | Brute Force |
Comments
SCC uses syslog to detect successful brute force attacks [via SSH] on a host. Because of the near-real time temporal factor when detecting cyber-attacks this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1078.004 | Cloud Accounts |
Comments
SCC ingests Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence and harvest sensitive data. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1562 | Impair Defenses |
Comments
SCC ingests VPC Audit logs to detect changes which would lead to changes in the security posture. This security solution protects against network modifications that are used to reduce the security perimeter, disable logs, and evade cyber-defense of a target environment. Because of the near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1567 | Exfiltration Over Web Service |
Comments
SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved outside of an organization or attempts to access protected resources. This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1567.002 | Exfiltration to Cloud Storage |
Comments
SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved to a cloud storage (e.g., Google Drive). This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1505.001 | SQL Stored Procedures |
Comments
SCC ingests MySQL/PostgreSQL/SQL Server data access logs to track cloud sql instances that are backed-up outside the organization. This security solution detects potential database exfiltration attacks that were attempted and completed to an external resource. Because of the near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1098.001 | Additional Cloud Credentials |
Comments
SCC ingests Cloud Audit logs to detect when permissions are changed in a privileged group (i.e., modify group to public) with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1562.007 | Disable or Modify Cloud Firewall |
Comments
SCC is able to detect changes to VPC service controls that could modify and reduced the secured perimeter. This security solution protects against modifications that could lead to a lower security posture and defense evasion. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | protect | significant | T1589.001 | Credentials |
Comments
SCC has the capability to disable user account after detecting a related account password leak. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1496 | Resource Hijacking |
Comments
SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | protect | significant | T1213.003 | Code Repositories |
Comments
Using Web Security Scanner, SCC is able to detect repositories (e.g., Git or SVN) that are exposed to the public. Adversaries may use this lapse in security configuration to collect information about the target. Because of the near-real time temporal factor to detect against this cyber-attack this was graded as significant.
References
|
| security_command_center | Security Command Center | protect | minimal | T1040 | Network Sniffing |
Comments
Using Web Security Scanner, SCC is able to detect when passwords are transmitted in cleartext. Adversaries may use this traffic mirroring services to sniff traffic and intercept unencrypted credentials. This technique was graded as partial due to the low protect coverage when transmitting passwords in clear-text and there is more information that could be gathered during a network sniffing attacks.
References
|
| security_command_center | Security Command Center | detect | significant | T1190 | Exploit Public-Facing Application |
Comments
Using Web Security Scanner, SCC is able to detect and provide guidance for web application security risks (e.g., Cross-Site Scripting, SQL injection, Server Side Request Forgery, Insecure Deserialization). Adversaries may exploit these web app weaknesses in a cloud-based environment to compromise the underlying instance or container. This technique was graded as significant due to the high detect coverage against varying forms of this attack.
References
|
| security_command_center | Security Command Center | detect | significant | T1078.001 | Default Accounts |
Comments
SCC is able to detect when default service accounts are used. Adversaries may use this attack as a means to gain initial access, privilege escalation, or defense evasion. This subtechnique was graded as significant due to the high detect coverage and near-real time temporal factor.
References
|
| security_command_center | Security Command Center | detect | significant | T1542 | Pre-OS Boot |
Comments
SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems. This technique was graded as significant due to the high detect coverage and near real-time temporal factor.
References
|
| security_command_center | Security Command Center | detect | significant | T1542.003 | Bootkit |
Comments
SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems (e.g., bootkit). This technique was graded as significant due to the high detect coverage and near real-time temporal factor.
References
|
| security_command_center | Security Command Center | detect | significant | T1014 | Rootkit |
Comments
SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems (e.g., rootkit). This technique was graded as significant due to the real-time temporal factor.
References
|
| security_command_center | Security Command Center | detect | significant | T1070 | Indicator Removal on Host |
Comments
SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.
References
|
| security_command_center | Security Command Center | detect | significant | T1484 | Domain Policy Modification |
Comments
SCC ingests admin activity from Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against adversary created accounts used to establish or maintain persistence. Because of the temporal factor to detect this attack, the control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1136.003 | Cloud Account |
Comments
SCC ingests admin activity from Cloud Audit logs to detect when new service accounts are created. This security solution protects against potential adversary generated accounts used for initial access or to maintain persistence. Because of the temporal factor to detect this attack the control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1562.008 | Disable Cloud Logs |
Comments
SCC detect changes to the configuration which would lead to disable logging on an instance or container. This security solution protects against system modifications used to remove evidence and evade defenses. Because of the near-real time temporal factor this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | significant | T1578 | Modify Cloud Compute Infrastructure |
Comments
SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.
References
|
| security_command_center | Security Command Center | detect | partial | T1530 | Data from Cloud Storage Object |
Comments
SCC detect suspicious activity when accessing cloud storage objects (e.g., new IPs accessing storage objects or enumeration from unfamiliar user identities). Because of the real time temporal factor when detecting access to secure storage objects this control was graded as partial.
References
|