| AWS Cross Account Activity |
Use Alternate Authentication Material |
Defense Evasion |
| AWS Defense Evasion |
Impair Defenses, Disable or Modify Cloud Logs |
Defense Evasion |
| AWS IAM Privilege Escalation |
Cloud Account, Create Account |
Persistence |
| AWS Identity and Access Management Account Takeover |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
| AWS Network ACL Activity |
Disable or Modify Cloud Firewall |
Defense Evasion |
| AWS Security Hub Alerts |
None |
None |
| AWS User Monitoring |
Cloud Accounts |
Defense Evasion |
| Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring |
User Execution |
Execution |
| Azure Active Directory Account Takeover |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying |
Resource Development |
| Azure Active Directory Persistence |
Account Manipulation, Valid Accounts |
Persistence |
| Azure Active Directory Privilege Escalation |
Account Manipulation |
Persistence |
| Cloud Cryptomining |
Unused/Unsupported Cloud Regions |
Defense Evasion |
| Cloud Federated Credential Abuse |
Image File Execution Options Injection, Event Triggered Execution |
Privilege Escalation |
| Dev Sec Ops |
Malicious Image, User Execution |
Execution |
| GCP Cross Account Activity |
Valid Accounts |
Defense Evasion |
| Kubernetes Scanning Activity |
Cloud Service Discovery |
Discovery |
| Kubernetes Security |
User Execution |
Execution |
| Kubernetes Sensitive Object Access Activity |
None |
None |
| Office 365 Account Takeover |
Steal Application Access Token |
Credential Access |
| Office 365 Collection Techniques |
Email Forwarding Rule, Email Collection |
Collection |
| Office 365 Persistence Mechanisms |
Account Manipulation, Additional Cloud Roles |
Persistence |
| Suspicious AWS Login Activities |
Cloud Accounts |
Defense Evasion |
| Suspicious AWS S3 Activities |
Data from Cloud Storage |
Collection |
| Suspicious AWS Traffic |
None |
None |
| Suspicious Cloud Authentication Activities |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Resource Development |
| Suspicious Cloud Instance Activities |
Cloud Accounts, Valid Accounts |
Defense Evasion |
| Suspicious Cloud Provisioning Activities |
Valid Accounts |
Defense Evasion |
| Suspicious Cloud User Activities |
Modify Cloud Compute Configurations |
Defense Evasion |
| Suspicious GCP Storage Activities |
Data from Cloud Storage |
Collection |