DET0078 Behavioral Detection of Malicious Cloud API Scripting

Item	Value
ID	DET0078
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1059.009 (Cloud API)

Analytics

IaaS

AN0215

Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	AWS:CloudTrail	eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand
Cloud Service Modification (DC0069)	azure:activity	operationName: Write, Access Review, RoleAssignment
User Account Authentication (DC0002)	Okta:SystemLog	eventType: user.authentication.sso, app.oauth2.token.grant

Mutable Elements

Field	Description
TimeWindow	Off-hours API usage or configuration changes are more suspicious outside business context.
UserAgent	Unexpected SDK usage (e.g., `boto3`, `azcopy`, unknown User-Agent strings).
CredentialType	High-risk if access token or API key used outside expected geographic/IP behavior.
APISequence	Unusual or rapid chaining of provisioning, IAM, and execution APIs.
ConsoleContext	Browser-based Cloud Shell vs local CLI may indicate insider vs external use case.