Salesforce unusual CLI activity

salesforce

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects unusual Salesforce CLI tool usage.

Strategy

This rule monitors Salesforce events containing user agent strings Salesforce-Multi-Org-Fetcher/1.0 or Salesforce-CLI/1.0. These user agents are associated with Salesforce command-line interface tools and multi-organization management utilities that provide programmatic access to Salesforce data and configuration. While these tools have legitimate administrative uses, they can also be leveraged by attackers for automated data extraction, configuration changes, or reconnaissance activities. The detection triggers on any usage of these CLI tools, as they represent elevated access capabilities that should be carefully monitored.

Triage & Response

  • Examine the specific activities performed by {{@usr.id}} using the Salesforce CLI tools to determine if they align with authorized administrative tasks.
  • Review the user’s role and permissions to verify if they have legitimate reasons to use command-line tools for Salesforce administration.
  • Analyze the timing and frequency of the CLI usage to identify potential automated or scripted activities that may indicate malicious intent.
  • Check if the CLI usage correlates with any recent system changes, data migrations, or administrative projects that would justify the tool usage.
  • Verify with the user and their supervisor whether the CLI tool usage was authorized and part of legitimate business operations.