This repository was archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathCloudIDS.yaml
312 lines (271 loc) · 14.6 KB
/
CloudIDS.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
version: 1
ATT&CK version: 10
creation date: 04/16/2022
name: Cloud IDS
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Cloud IDS
- Intrusion Detection Service (IDS)
- Palo Alto Network's Threat Signatures
- Analytics
description: >-
Cloud IDS is an intrusion detection service that inspects network traffic and triggers alerts to
intrusions, malware, spyware, or other cyber-attacks. Cloud IDS' default ruleset is powered by
Palo Alto Network's advanced threat detection technologies and the vendor's latest set of threat
signatures (e.g., antivirus, anti-spyware, or vulnerability signatures). Cloud IDS is
dependent on Cloud logging feature to collect network telemetry. Further threat detection rule can
be crafted to generate alerts based on network traffic (e.g., PCAP, Netflow).
techniques:
- id: T1137
name: Office Application Startup
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect malware found in executables and Microsoft Office files
(e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the signature and deliver a malicious
office file, this technique was scored as significant based on Palo Alto Network's
advanced threat detection technology which constantly updates to detect against the latest
known variations of these attacks.
- id: T1546.006
name: LC_LOAD_DYLIB Addition
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to execute malicious content and establish persistence, Palo
Alto Network's antivirus signatures is able to detect malicious content found in Mach
object files (Mach-O). These are used by the adversary to load and execute malicious
dynamic libraries after the binary is executed.
This technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against variations of these
cyber-attacks.
- id: T1204.002
name: Malicious File
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect malware found in portable document formats (PDF).
Although there are ways an attacker could modify the signature and deliver a malicious
file, this technique was scored as significant based on Palo Alto Network's advanced
threat detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1055.002
name: Portable Executable Injection
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to escalate privileges and automatically run on Windows systems,
Palo Alto Network's antivirus signatures is able to detect malware found in portable
executables (PE).
Although there are ways an attacker could avoid detection to deliver a malicious PE file,
this technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1221
name: Template Injection
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect malware found in executables and Microsoft Office file
templates (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).
Although there are ways an attacker could modify the known attack signature to avoid
detection, this technique was scored as significant based on Palo Alto Network's advanced
threat detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1505.003
name: Web Shell
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's threat signatures
is able to detect programs that use an internet connection to provide remote access to a
compromised internal system.
Although there are multiple ways an attacker could establish unauthorized remote access to
a compromised system, this technique was scored as significant based on Palo Alto
Network's advanced threat detection technology which constantly updates to detect against
variations of these cyber-attacks.
- id: T1204.003
name: Malicious Image
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect download attempts or traffic generated from malicious
programs designed to mine cryptocurrency without the user's knowledge.
Although there are ways an attacker could modify the attack to avoid detection, this
technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these crypto-mining attacks
- id: T1048
name: Exfiltration Over Alternative Protocol
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware
signatures is able to detect data exfiltration attempts over command and control
communications.
Although there are ways an attacker could still exfiltrate data from a compromised system,
this technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1041
name: Exfiltration Over C2 Channel
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware
signatures is able to detect data exfiltration attempts and anomalies over known command
and control communications.
Although there are ways an attacker could still exfiltrate data from a compromised system,
this technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1567
name: Exfiltration Over Web Service
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware
signatures is able to detect data exfiltration attempts over command and control
communications (e.g., WebShell).
Although there are ways an attacker could exfiltrate data from a compromised system, this
technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1567.002
name: Exfiltration to Cloud Storage
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware
signatures is able to detect data exfiltration attempts over command and control
communications (e.g., WebShell).
Although there are multiple ways an attacker could exfiltrate data from a compromised
system, this technique was scored as significant based on Palo Alto Network's advanced
threat detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1020
name: Automated Exfiltration
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware
signatures is able to detect data exfiltration attempts over command and control
communications.
Although there are ways an attacker could still exfiltrate data from a compromised system,
this technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1110
name: Brute Force
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability
signature is able to detect multiple repetitive occurrences of a condition in a particular
time that could indicate a brute force attack (e.g., failed logins).
Although there are ways an attacker could brute force a system while avoiding detection,
this technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against the latest known
variations of these attacks.
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to affect availability and deprive legitimate user access, Palo
Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks
that attempt to render a target system unavailable by flooding the resources with traffic.
This technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against a variety of
denial-of-service attacks.
- id: T1499.003
name: Application Exhaustion Flood
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to affect availability and deprive legitimate user access, Palo
Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks
that attempt to crash a target system by flooding it with application traffic.
This was scored as minimal because there are other ways adversaries could
This technique was scored as significant based on Palo Alto Network's advanced threat
detection technology which constantly updates to detect against variations of these
cyber-attacks.
- id: T1190
name: Exploit Public-Facing Application
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to take advantage of software weaknesses in web applications,
Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that
attempt to read or modify a system database using common web hacking techniques (e.g.,
OWASP top 10).
Although there are ways an attacker could leverage web application weaknesses to affect
the sensitive data and databases, this technique was scored as significant based on Palo
Alto Network's advanced threat detection technology which constantly updates to detect
against the latest known variations of these attacks.
- id: T1566.002
name: Spearphishing Link
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability
signatures are able to detect when a user attempts to connect to a malicious site with a
phishing kit landing page.
Although there are other ways an adversary could attempt a phishing attack, this technique
was scored as significant based on Palo Alto Network's advanced threat detection
technology which constantly updates to detect against variations of these cyber-attacks.
- id: T1137.006
name: Add-ins
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect malware found in executables and Microsoft Office add-ins.
Although there are ways an attacker could deliver a malicious file, this technique was
scored as significant based on Palo Alto Network's advanced threat detection technology
which constantly updates to detect against the latest known variations of these attacks.
- id: T1137.001
name: Office Template Macros
technique-scores:
- category: Detect
value: Significant
comments: >-
Often used by adversaries to establish persistence, Palo Alto Network's antivirus
signatures is able to detect malware found in executables and Microsoft Office templates
Although there are ways an attacker could deliver a malicious template, this technique was
scored as significant based on Palo Alto Network's advanced threat detection technology
which constantly updates to detect against the latest known variations of these attacks.
comments: >-
This mapping was scored as significant due to the control’s notable detection accuracy, mappable
threat coverage, and time-related factors (e.g., real-time).
The cyber-attacks mapped are considered a subset of the most notable threat detection available
for Cloud IDS, but a thorough mapping to all of Palo Alto Network's advanced threat detection
technologies wasn't possible due to constant updates, 3rd party vendor's extensive documentation,
and new threat signatures.
references:
- 'https://cloud.google.com/intrusion-detection-system'
- 'https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures'