Skip to content

DC0069 Cloud Service Modification

Item Value
ID DC0069
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail CreateFunction
AWS:CloudTrail PutUserPolicy, PutGroupPolicy, PutRolePolicy, CreatePolicyVersion
AWS:CloudTrail Condition block updated in IAM policy (e.g., aws:SourceIp, aws:RequestedRegion)
AWS:CloudTrail UpdateAccountPasswordPolicy
AWS:CloudTrail PutIdentityPolicy
AWS:CloudTrail LeaveOrganization: API calls severing accounts from AWS Organizations
AWS:CloudTrail CreateAccount: API calls creating new accounts in AWS Organizations
AWS:CloudTrail UpdateIdentityPolicy or DisableMFA
AWS:CloudTrail UpdateFederationSettings or RegisterHybridConnector
AWS:CloudTrail CreateTrafficMirrorSession / ModifyTrafficMirrorTarget
AWS:CloudTrail CreateFunction / UpdateFunctionConfiguration: Function creation, role assignment, or configuration change events
AWS:CloudTrail RequestServiceQuotaIncrease
AWS:CloudTrail Delete / Stop: DeleteAlarms, StopLogging, or DisableMonitoring API calls
AWS:CloudTrail Use of temporary credentials issued from IMDS access
azure:activity operationName: Write, Access Review, RoleAssignment
azure:activity Microsoft.Network/networkWatchers/flowLogSettings/write
azure:activity MICROSOFT.AUTHORIZATION/POLICIES/WRITE
azure:audit Tenant subscription transfers or new management group creation
azure:audit Consent to application: OAuth application consent granted to service principal
azure:policy UpdatePolicy
azure:policy DisableAuditLogs or ConditionalAccess logging changes
gcp:audit compute.packetMirroring.insert
gcp:audit projects.updateQuota or orgPolicies.updatePolicy
gcp:config UpdateSink request modifying log export destinations
m365:unified Creation of Power Automate flow triggered by OneDrive or Exchange event
m365:unified SendMessage
m365:unified AddFlow / UpdateFlow: New automation or workflow creation events
saas:appsscript Create / Update: Deployment of scripts with event-driven triggers
saas:github Workflow triggered via pull_request_target from forked repo
saas:integration New or modified third-party application integrations with elevated permissions
saas:slack Exported file or accessed admin API

Detection Strategy

ID Name Technique Detected
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0078 Behavioral Detection of Malicious Cloud API Scripting T1059.009
DET0030 Detect Conditional Access Policy Modification in Identity and Cloud Platforms T1556.009
DET0293 Detect Hybrid Identity Authentication Process Modification T1556.007
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. T1562.001
DET0539 Detection Strategy for Cloud Application Integration T1671
DET0147 Detection Strategy for Cloud Service Hijacking via SaaS Abuse T1496.004
DET0289 Detection Strategy for Disable or Modify Cloud Logs T1562.008
DET0492 Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations T1578.005
DET0155 Detection Strategy for Modify Cloud Resource Hierarchy T1666
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0374 Detection Strategy for Serverless Execution (T1648) T1648
DET0515 Detection Strategy for T1528 - Steal Application Access Token T1528
DET0267 Resource Hijacking Detection Strategy T1496