attack.t1548

GCP Break-glass Container Workload Deployed

Dec 1, 2024 · attack.defense-evasion attack.t1548 ·

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Potential Privilege Escalation via Local Kerberos Relay over LDAP

Aug 29, 2024 · attack.privilege-escalation attack.credential-access attack.t1548 ·

Share on:

Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Abused Debug Privilege by Arbitrary Parent Processes

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·

Share on:

Detection of unusual child processes by different system processes

AWS STS AssumeRole Misuse

Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWS STS GetSessionToken Misuse

Aug 12, 2024 · attack.lateral-movement attack.privilege-escalation attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS Suspicious SAML Activity

Aug 12, 2024 · attack.initial-access attack.t1078 attack.lateral-movement attack.t1548 attack.privilege-escalation attack.t1550 attack.t1550.001 ·

Share on:

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

CA Policy Removed by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.