Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition | Google Cloud Blog

MITRE Techniques

• [T1110 ] Brute Force – Detects excessive failed logins from external IPs as an initial access vector. (‘Search for a single user with an excessive number of failed logins from external Internet Protocol (IP) addresses.’)
• [T1110.003 ] Password Spray – Detects broad failed authentication attempts across many accounts from similar sources. (‘Search for a high number of accounts with failed logins, typically from the similar origination addresses.’)
• [T1078 ] Valid Accounts – Monitors use of stolen or misused valid credentials, including privileged accounts authenticating from unusual locations. (‘Privileged accounts should use internally managed and secured privileged access workstations for access and should not be accessible directly from an external (untrusted) source.’)
• [T1557 ] Adversary in the Middle – Detects AiTM/session token theft by anomalous sign-ins and inconsistent IP/ASN or new reverse-proxy domains. (‘Monitor for sign-ins where the authentication method succeeds but the session originates from an IP/ASN inconsistent with the user’s prior sessions.’)
• [T1621 ] MFA Request Generation – Detects MFA fatigue/prompt bombing by monitoring rapid repeated pushes. (‘Search for accounts receiving more than five MFA push notifications within a 10-minute window without a corresponding successful authentication.’)
• [T1098.005 ] Account Manipulation: Device Registration – Detects immediate attacker device registrations after suspicious sign-ins for persistent access. (‘Monitor audit logs for new MFA device registrations (AuthenticationMethodRegistered) occurring within 60 minutes of a sign-in from a new IP or device.’)
• [T1550.001 ] Use Alternate Authentication Material (OAuth/Consent Phishing) – Detects malicious OAuth consent grants with high-privilege scopes from unrecognized apps. (‘Monitor for OAuth application consent grants with high-privilege scopes (Mail.Read, Files.ReadWrite.All) from unrecognized application IDs.’)
• [T1490 ] Inhibit System Recovery – Detects deletion of volume shadow copies, snapshots, or bulk backup deletes to prevent recovery. (‘Search for instances where a threat actor will delete volume shadow copies to inhibit system recovery.’)
• [T1212 ] Exploitation for Credential Access – Monitors external SMB connection attempts as potential credential-harvesting vectors. (‘Search for external connection attempts over SMB, as this may be an attempt to harvest credential hashes.’)
• [T1046 ] Network Service Scanning – Detects internal network discovery and port/service enumeration across segmented environments. (‘Search for instances where a threat actor is performing internal network discovery to identify open ports and services between segmented environments.’)
• [T1021.004 ] Remote Services: SSH – Detects unauthorized SSH connections to virtualization hosts or management appliances. (‘Search for instances where an SSH connection is attempted when SSH has not been enabled for an approved purpose or is not expected from a specific origination asset.’)
• [T1059.004 ] Command and Scripting Interpreter (Unix Shell) – Detects high-risk shell commands on VCSA/host shells after interactive sessions. (‘Monitor VCSA shell audit logs for execution of high-risk commands (e.g., wget, curl, psql, certificate-manager) by any user following an interactive SSH session.’)
• [T1529 ] System Shutdown/Reboot – Detects bulk VM power-off/reboot sequences that may indicate destructive activity. (‘Detect sequences where multiple VMs are powered off within a short time window (e.g., >5 VMs in 10 minutes) via vCenter events.’)
• [T1486 ] Data Encrypted for Impact – Monitors unauthorized access to virtual disk files and VM detach/reattach events indicating offline credential theft or tampering. (‘Monitor for processes accessing .vmdk, .vmx, .vmsd, or .vmsn files outside of normal VMware service processes (hostd, vpxd, fdm).’)
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Detects disabling of cryptographic enforcement or security tooling on hypervisors and endpoints. (‘Monitor ESXi shell.log for execution of “esxcli system settings encryption set” with “–require-exec-installed-only=F” or “–require-secure-boot=F”.’)
• [T1556 ] Modify Authentication Process – Detects changes to vCenter SSO identity sources or authentication sources. (‘Monitor vCenter events and vpxd.log for modifications to SSO identity sources, including the addition of new LDAP providers or changes to vshphere.local administrator group membership.’)
• [T1021.002 ] SMB/Windows Admin Shares – Detects anomalous or high-volume SMB connections used for lateral movement and admin share abuse. (‘Search for a sharp increase in SMB connections that fall outside of a normal pattern.’)
• [T1047 ] Windows Management Instrumentation – Detects WMI usage for remote execution and tool transfer. (‘Search for WMI being used via a command line or PowerShell to call a remote service for execution.’)
• [T1105 ] Ingress Tool Transfer – Detects WMI or other techniques used to transfer tools into the environment. (‘Search for suspicious usage of WMI to download external resources.’)
• [T1187 ] Forced Authentication – Detects NTLM coercion/relay attempts via SMB/WebDAV and related APIs. (‘Search for potential NTLM authentication attempts using SMB or WebDAV.’)
• [T1003.006 ] OS Credential Dumping (DCSync) – Detects DCSync-like replication requests from non-DC sources attempting to replicate directory data. (‘Monitor for non-domain-controller sources issuing directory replication requests (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All).’)
• [T1558.003 ] Steal or Forge Kerberos Tickets: Kerberoasting – Detects Kerberos service ticket requests using RC4 that indicate Kerberoasting attempts. (‘Searching for a Kerberos request using downgraded RC4 encryption.’)
• [T1558.004 ] Steal or Forge Kerberos Tickets: AS-REP Roasting – Detects AS-REP requests for accounts with preauthentication disabled. (‘Monitor Event ID 4768 for Kerberos authentication requests using RC4 encryption (0x17) for accounts with the “Do not require Kerberos preauthentication” flag set.’)
• [T1112 ] Modify Registry – Detects registry modifications to enable/disable WDigest, Restricted Admin, or Remote Credential Guard protections. (‘Search for evidence of WDigest being enabled in the Windows Registry. HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential REG_DWORD = “1”‘)
• [T1003.002 ] OS Credential Dumping: LSASS Memory – Detects processes opening handles to LSASS indicative of credential dumping. (‘Monitor for processes accessing lsass.exe memory (Sysmon Event ID 10 with GrantedAccess 0x1010 or 0x1FFFFF).’)
• [T1654 ] Log Enumeration – Detects enumeration of cloud logging/audit configurations and SIEM export settings. (‘Monitor for API calls listing or accessing logging configurations from identities without documented operational need.’)
• [T1578.005 ] Modify Cloud Compute Configurations – Detects unauthorized snapshot, disk detach/reattach, or bulk compute changes affecting domain controllers or backups. (‘Monitor for unauthorized compute changes including bulk instance creation or deletion deviating from change management baselines.’)
• [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – Detects unauthorized CI/CD pipeline modifications and source-repo changes. (‘Monitor source code repositories for modifications to CI/CD pipeline configuration files.’)
• [T1525 ] Implant Internal Image – Detects unsigned or modified container images deployed to clusters or registries. (‘Monitor container registries and Kubernetes admission events for deployment of images that fail signature verification, lack provenance attestation, or originate from untrusted registries.’)
• [T1552.007 ] Unsecured Credentials: Container API – Detects anomalous Kubernetes secret access or bulk secret enumeration. (‘Monitor Kubernetes audit logs for API calls to /api/v1/secrets or /api/v1/namespaces/*/secrets from service accounts or users that do not normally access secrets.’)
• [T1611 ] Escape to Host – Detects pod creation or modifications requesting privileged contexts or host mounts that enable breakout to the host. (‘Monitor Kubernetes audit logs for pod creation or modification events requesting privileged security contexts, host namespace access, or volume mounts to sensitive host paths.’)
• [T1562.007 ] Impair Defenses: Disable or Modify Cloud Firewall/Logging – Detects tampering with Kubernetes audit logging, security agents, or log sinks. (‘Monitor for modifications to Kubernetes API server audit policy configurations, deletion or redirection of log export sinks, and disablement or removal of container runtime security agents.’)
• [T1556.009 ] Conditional Access Policies – Detects unauthorized modifications to cloud conditional access/MFA policies that reduce protections. (‘Monitor cloud identity provider audit logs for modifications to Conditional Access Policies, MFA enforcement rules, legacy authentication blocking rules, or PIM/JIT role settings.’)
• [T1078.004 ] Valid Accounts: Cloud Accounts – Detects cloud account abuse via anomalous source IPs, ASNs, or impossible travel. (‘Monitor cloud audit logs for authentication from unseen source IPs, anomalous ASNs, or impossible travel patterns.’)
• [T1021.007 ] Remote Services: Cloud Services – Detects lateral movement via cloud consoles by spotting interactive sign-ins from previously programmatic-only identities. (‘Detect interactive console sign-ins from IPs that previously only performed programmatic API/CLI access.’)