Oracle Cloud user requested to create or reset password from malicous IP

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an API request to reset the password was made by a user.

Strategy

Monitor Oracle cloud logs to detect the API call CreateOrResetMyPasswordRequest. An attacker can compromise the user’s email address to reset the user’s password.

Triage and response

  1. Determine if the request to reset the user password should have been made.
  2. If not, investigate the action performed by {{@usr.name}} for indicators of account compromise, and rotate credentials if necessary.
PREVIEWING: domalessi/docs-10584