- Home
- Techniques
- Enterprise
- Account Manipulation
- Additional Cloud Credentials
Account Manipulation: Additional Cloud Credentials
Other sub-techniques of Account Manipulation (4)
ID | Name |
---|---|
T1098.001 | Additional Cloud Credentials |
T1098.002 | Exchange Email Delegate Permissions |
T1098.003 | Add Office 365 Global Administrator Role |
T1098.004 | SSH Authorized Keys |
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[4]
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair
or ImportKeyPair
API in AWS or the gcloud compute os-login ssh-keys add
command in GCP.[5] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[6][7]
Procedure Examples
Name | Description |
---|---|
UNC2452 |
UNC2452 added credentials to OAuth Applications and Service Principals.[8] |
Mitigations
Mitigation | Description |
---|---|
Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the |
Network Segmentation |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
Privileged Account Management |
Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.
Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.
References
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.
- Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
- Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.
- Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.
- Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.
- A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
- S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.