6/12/2023 0 Comments Define fraggerInformation about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.Īdversaries may attempt to enumerate local device drivers on a victim host. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.Īdversaries may employ various means to detect and avoid debuggers. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.Īdversaries may attempt to discover containers and other resources that are available within a containers environment. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.Īdversaries may enumerate objects in cloud storage infrastructure. Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.Īn adversary may attempt to enumerate the cloud services running on a system after gaining access. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.Īn adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.Īn adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery) to evade.Īdversaries may enumerate information about browsers to learn more about compromised environments. Window listings could convey information about how the system is used. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.Īdversaries may attempt to get a listing of open application windows. Adversaries may try to dump Exchange address lists such as global address lists (GALs).Īdversaries may attempt to get a listing of cloud accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.Īdversaries may attempt to get a listing of email addresses and accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.Īdversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).Īdversaries may attempt to get a listing of local system accounts. Live Version Techniques Techniques: 31 IDĪdversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
0 Comments
Leave a Reply. |