Detections
- Home
- - Detections
- -DT118
- ID: DT118
- Created: 29th April 2025
- Updated: 29th April 2025
- Platform: Oracle Cloud Infrastructure (OCI)
- Contributor: The ITM Team
OCI Unauthorized System or Service Modification
Monitor Oracle Cloud Infrastructure (OCI) Audit Logs to detect unauthorized system or service creation. Unauthorized provisioning in OCI can indicate insider threat activity aimed at illicit compute use, data staging, or security control bypass.
Where to Configure/Access
- OCI Audit Console: https://cloud.oracle.com/audit
- OCI Audit Documentation: https://docs.oracle.com/en-us/iaas/Content/Audit/Concepts/auditoverview.htm
Detection Methods
Analyze Audit Events such as:
LaunchInstance
(Compute instance creation)CreateBucket
(Object Storage creation)CreateVolume
(Block Volume creation)CreateVcn
(Virtual Network creation)
Configure Object Storage log exports and integrate with SIEM tools (e.g., Splunk, QRadar) for real-time detection.
Indicators
- Compute or storage resources created in unauthorized compartments.
- VCNs created without associated security lists or network ACLs.
- Instances launched using high-compute shapes without approved business justification.
Sections
ID | Name | Description |
---|---|---|
ME028 | Delegated Access via Managed Service Providers | An organization entrusts a Managed Service Provider (MSP) with administrative or operational access to its digital environment - typically for IT support, system maintenance, or development functions. This access is often persistent, privileged, and spans sensitive infrastructure or data environments.
The means is established when MSP personnel, including potential subjects, are permitted to authenticate into the client’s environment from systems or networks entirely outside the client's visibility or jurisdiction. These MSP endpoints may be unmanaged, unmonitored, or physically located in regions where customer organization's policies, incident response authority, or legal recourse do not apply.
This creates an unobservable access channel: the subject operates from infrastructure beyond the reach of the customer organization's logging, endpoint detection, or identity correlation. The organization is therefore unable to monitor or verify who accessed what, when, or from where—rendering all downstream actions unauditable by the customer organization's internal security teams, unless mirrored within the client-controlled environment.
The exposure can be compounded by the MSP’s internal controls (or lack thereof). Weak credential custody practices, shared administrative accounts, inadequate background checks, or poor workforce segmentation create conditions where privileged misuse or unauthorized access can occur without attribution or immediate detection. The subject does not require escalation—they begin with sanctioned access and operate under delegated trust, often without the constraints applied to internal staff.
This structural dependency - privileged access held externally, without enforceable oversight - creates the necessary conditions for an insider infringement to occur with low risk of interruption or accountability. |
IF009.006 | Installing Crypto Mining Software | The subject installs and operates unauthorized cryptocurrency mining software on organizational systems, leveraging compute, network, and energy resources for personal financial gain. This activity subverts authorized system use policies, degrades operational performance, increases attack surface, and introduces external control risks.
Characteristics
Example ScenarioA subject installs a customized |