forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgcp_account_takeover.yml
24 lines (24 loc) · 1.36 KB
/
gcp_account_takeover.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
name: GCP Account Takeover
id: 8601caff-414f-4c6d-9a04-75b66778869d
version: 1
date: '2022-10-12'
author: Mauricio Velazco, Bhavin Patel, Splunk
description: Monitor for activities and techniques associated with Account Takover
attacks against Google Cloud Platform tenants.
narrative: 'Account Takeover (ATO) is an attack whereby cybercriminals gain unauthorized access to online accounts by using different techniques like brute force, social engineering,
phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic storic groups detections that can help security operations teams identify the potential compromise of Azure Active Directory accounts.'
references:
- https://cloud.google.com/gcp
- https://cloud.google.com/architecture/identity/overview-google-authentication
- https://attack.mitre.org/techniques/T1586/
- https://www.imperva.com/learn/application-security/account-takeover-ato/
- https://www.barracuda.com/glossary/account-takeover
tags:
analytic_story: GCP Account Takeover
category:
- Account Compromise
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection