Cloud IDS is an intrusion detection service that inspects network traffic and triggers alerts to intrusions, malware, spyware, or other cyber-attacks. Cloud IDS' default ruleset is powered by Palo Alto Network's advanced threat detection technologies and the vendor's latest set of threat signatures (e.g., antivirus, anti-spyware, or vulnerability signatures). Cloud IDS is dependent on Cloud logging feature to collect network telemetry. Further threat detection rules can be crafted to generate alerts based on network traffic (e.g., PCAP, Netflow).
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | detect | partial | T1027.009 | Embedded Payloads |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| cloud_ids | Cloud IDS | detect | partial | T1027.012 | LNK Icon Smuggling |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| cloud_ids | Cloud IDS | detect | minimal | T1027.013 | Encrypted/Encoded File |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| cloud_ids | Cloud IDS | detect | minimal | T1027.014 | Polymorphic Code |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| cloud_ids | Cloud IDS | detect | minimal | T1036.008 | Masquerade File Type |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1020 | Automated Exfiltration |
Comments
Cloud IDS spyware signatures are able to detect data exfiltration attempts over command and control communications, which is often used by adversaries to compromise sensitive data. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Cloud IDS's advanced threat detection technology which continually updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1041 | Exfiltration Over C2 Channel |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1048 | Exfiltration Over Alternative Protocol |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1055.002 | Portable Executable Injection |
Comments
Often used by adversaries to escalate privileges and automatically run on Windows systems, Palo Alto Network's antivirus signatures is able to detect malware found in portable executables (PE).
Although there are ways an attacker could avoid detection to deliver a malicious PE file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1110 | Brute Force |
Comments
Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signature is able to detect multiple repetitive occurrences of a condition in a particular time that could indicate a brute force attack (e.g., failed logins).
Although there are ways an attacker could brute force a system while avoiding detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1137 | Office Application Startup |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1137.001 | Office Template Macros |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office templates
Although there are ways an attacker could deliver a malicious template, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1137.006 | Add-ins |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office add-ins.
Although there are ways an attacker could deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1190 | Exploit Public-Facing Application |
Comments
Often used by adversaries to take advantage of software weaknesses in web applications, Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that attempt to read or modify a system database using common web hacking techniques (e.g., OWASP top 10).
Although there are ways an attacker could leverage web application weaknesses to affect the sensitive data and databases, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1204.002 | Malicious File |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in portable document formats (PDF).
Although there are ways an attacker could modify the signature and deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1204.003 | Malicious Image |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect download attempts or traffic generated from malicious programs designed to mine cryptocurrency without the user's knowledge.
Although there are ways an attacker could modify the attack to avoid detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these crypto-mining attacks
References
|
| cloud_ids | Cloud IDS | detect | significant | T1221 | Template Injection |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office file templates (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the known attack signature to avoid detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1499 | Endpoint Denial of Service |
Comments
Often used by adversaries to affect availability and deprive legitimate user access, Palo Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks that attempt to render a target system unavailable by flooding the resources with traffic.
This technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against a variety of denial-of-service attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1499.003 | Application Exhaustion Flood |
Comments
Often used by adversaries to affect availability and deprive legitimate user access, Palo Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks that attempt to crash a target system by flooding it with application traffic.
This technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1505.003 | Web Shell |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's threat signatures is able to detect programs that use an internet connection to provide remote access to a compromised internal system.
Although there are multiple ways an attacker could establish unauthorized remote access to a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1546.006 | LC_LOAD_DYLIB Addition |
Comments
Often used by adversaries to execute malicious content and establish persistence, Palo Alto Network's antivirus signatures is able to detect malicious content found in Mach object files (Mach-O). These are used by the adversary to load and execute malicious dynamic libraries after the binary is executed.
This technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1566.002 | Spearphishing Link |
Comments
Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signatures are able to detect when a user attempts to connect to a malicious site with a phishing kit landing page.
Although there are other ways an adversary could attempt a phishing attack, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1567 | Exfiltration Over Web Service |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell).
Although there are ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| cloud_ids | Cloud IDS | detect | significant | T1567.002 | Exfiltration to Cloud Storage |
Comments
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell).
Although there are multiple ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|