As companies migrate to cloud, so too do opportunist adversaries. That's why our Elastic Security team members have created free detection rules for protecting users' cloud platforms like AWS and Okta. Learn more in this blog post.

Cloud monitoring and detection challenges

Ingesting and searching cloud logs with Elastic

Detecting attackers operating in cloud environments

Monitoring AWS CloudTrail logs to detect suspicious behavior

Simulating adversary behavior in AWS

Detecting and investigating the suspicious behavior in AWS

Detecting suspicious behavior in Okta logs

Conclusion

Security operations: Cloud monitoring and detection with Elastic Security

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

Persistence via scheduled tasks (T1053)

Real-world example: APT34 scheduled tasks abuse

Hunting for scheduled tasks

Other scheduled task considerations

Persistence via BITS jobs (T1197)

Hunting for malicious BITS jobs

Real-world example: Qbot malware

Others BITS and pieces

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

What is persistence and why do attackers need it?

What is Event Query Language (EQL)?

Persistence via Windows Management Instrumentation (WMI) Event Subscriptions (T1084)

Understanding WMI Event Subscriptions and how they can be abused

Hunting for and detecting malicious WMI Event Subscriptions

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Author

Brent Murphy

Articles

Security operations: Cloud monitoring and detection with Elastic Security

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)