Cloud Project Compromise Assessment

ID: S1005

Description: Evaluate a cloud project for malicious or unknown activities and determine if the cloud project is compromised. This is distinct from evaluating whether a particular instance in that cloud project is compromised.

Has an attacker gained access to the cloud project? (Initial Access) F1013

Q1039 Are there any detections of exposed service account credentials?
Q1040 Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)?
Q1041 Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)?

Are there any signs of an attacker trying to maintain access to the cloud project? (Persistence) F1014

Q1042 Are there any APIs recently enabled?
Q1043 Are there any role bindings to cluster admin for anonymous users?
Q1044 Are there any unexpected resources created under the cloud project?
Q1045 Are there any unknown accounts created?
Q1046 Are there any unknown role bindings created?

Are there any signs of interference with cloud project protective measures? (Defense Evasion) F1015

Q1047 Are there any suspicious modifications to the cloud project firewall rules/policies?
Q1048 Are there any suspicious modifications to the cloud project logging configuration?

Are there indications of an attacker moving between resources? F1016

This may take the form of an attacker moving between cloud resources within the project or between the cloud project and on-prem systems.

Q1049 Is there an unusual increase of traffic between resource in the cloud project?

Are there any signs of data exfiltration from resources inside the cloud project? (Data Exfil) F1017

Q1050 Are there any GCS buckets within the cloud project shared externally?
Q1051 Are there any signs of data within the cloud project being transferred externally?

Q1039 Are there any detections of exposed service account credentials?