ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1526

术语表: /attack/glossary

云服务披露

攻击者可能会在获取访问权限后尝试枚举系统上运行的云服务。这些方法可能会有所不同,具体取决于它是平台即服务(PaaS),基础架构即服务(IaaS)还是软件即服务(SaaS)。各种云提供商中都存在许多不同的服务,其中可能包括持续集成和持续交付(CI / CD),Lambda函数,Azure AD等。攻击者可能会尝试发现有关在整个环境中启用的服务的信息。

Pacu,一个开源的AWS开发框架,支持多种发现云服务的方法。

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ depending on if it's platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many different services exist throughout the various cloud providers and can include continuous integration and continuous delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment.

Pacu, an open source AWS exploitation framework, supports several methods for discovering cloud services.

标签

ID编号: T1526

策略: 披露

平台: AWS,GCP,Azure,Azure AD,Office 365,SaaS

所需权限: user

数据源: Azure活动日志,Stackdriver日志,AWS CloudTrail日志

缓解措施

这种攻击技术无法通过预防性控制轻松缓解,因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

云服务披露技术很可能会在整个操作过程中发生,而攻击者会将目标对准基于云的系统和服务。不应孤立地看待数据和事件,而应将其视为行为链的一部分,这些行为可能导致基于所获取信息的其他活动。

看起来像云服务发现的正常,良性的系统和网络事件可能并不常见,具体取决于环境及其使用方式。监视云服务使用情况是否存在异常行为,这些异常行为可能表明环境中存在敌对行为。

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.