Keypoints
- Datadog describes hunting opportunities in Salesforce logs for attacker behavior ranging from reconnaissance through discovery.
- Threat actors abuse Salesforce apps and APIs to exfiltrate data, move laterally into connected cloud services, and monetize stolen access.
- The article explains differences between Event Log Files (ELF) and Real-Time Event Monitoring (RTEM), plus Salesforce logging nuances such as user agent value 9999.
- Attackers may use guest or compromised accounts to access Aura configuration data, sensitive objects, and broad API resources.
- The post highlights detection of failed logins, MFA denial patterns, brute-force attempts, and suspicious MFA factor changes on victim accounts.
- OAuth access token abuse is a major focus, including unusual connected apps, rare IPs, and API activity that follows successful OAuth logins.
- The article also covers discovery behavior such as querying API limits, listing objects, and counting records to prepare for exfiltration.
MITRE Techniques
- [T1580 ] Cloud Infrastructure Discovery – Attackers enumerate Salesforce objects, limits, and available resources to understand the tenant before exploitation (‘enumerate resources (what objects exist, how big they are, what limits apply)’).
- [T1528 ] Steal Application Access Token – The post highlights abuse of OAuth access tokens and suspicious OAuth logins used to access Salesforce (‘Review use of OAuth access tokens’).
- [T1110 ] Brute Force – Repeated login attempts and spikes in failed logins are described as brute-force activity against Salesforce accounts (‘the attacker often resorts to repeated login attempts’).
- [T1621 ] Multi-Factor Authentication Request Generation – Attackers pressure users into approving or providing MFA factors, such as SMS codes (‘convinces the user to provide or approve soft MFA factors’).
- [T1556 ] Modify Authentication Process – Threat actors attempt to change email addresses or phone numbers and add new MFA options to lock out victims (‘attempts to add new MFA options to high privileged accounts’).
- [T1087 ] Account Discovery – Queries that list accounts, contacts, users, and other objects are used to identify valuable records (‘measured the tenant’s scale by listing accounts, contacts, users, and other objects’).
- [T1213 ] Data from Information Repositories – Salesforce objects, reports, and queries are used to collect data from the platform (‘Extract data (REST queries, Bulk API jobs, report exports, file downloads)’).
- [T1078 ] Valid Accounts – The article repeatedly notes compromised user, guest, SSO, and OAuth-based access being used for legitimate-looking access (‘Authenticate (user credentials, SSO session, or OAuth token)’).
Indicators of Compromise
- [Threat Actor Names ] referenced campaign identifiers – GRUB1, UNC6395
- [Organizations / Services ] incident references and platforms – Salesloft, Google Cloud, Cloudflare, Datadog
- [API Paths / URIs ] suspicious Salesforce endpoints – /services/data/*/limits*, /services/data/*/sobjects, /services/data/*/query*
- [Salesforce Event Names ] log sources and suspicious event types – AuraRequest, RestApi, ApiEvent, LoginEvent, IdentityVerificationEvent, UriEvent
- [Action / Query Strings ] suspicious controller and query patterns – HostConfigController/ACTION$getConfigData, SelectableListDataProviderController/ACTION$getItems, SELECT COUNT() FROM Account
- [Authentication / Login Status Values ] suspicious login indicators – LOGIN_NO_ERROR, LOGIN_TWOFACTOR_REQ, LOGIN_ERROR_INVALID_PASSWORD, LOGIN_ERROR_LOGINS_EXCEEDED
- [URI Fragments ] MFA and password-change related paths – /_ui/system/security/ChangePassword, *EmailVerificationFinish*, *TotpVerification*