Oracle Cloud user requested to create or reset password from malicous IP

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect when an API request to reset the password was made by a user.

Strategy

Monitor Oracle cloud logs to detect the API call CreateOrResetMyPasswordRequest. An attacker can compromise the user’s email address to reset the user’s password.

Triage and response

  1. Determine if the request to reset the user password should have been made.
  2. If not, investigate the action performed by {{@usr.name}} for indicators of account compromise, and rotate credentials if necessary.
PREVIEWING: domalessi/docs-10584