Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a Trusted Relationship. Similar to Domain Accounts, compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_asset_inventory | Cloud Asset Inventory | technique_scores | T1078.004 | Cloud Accounts |
Comments
This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.
References
|
| identity_aware_proxy | Identity Aware Proxy | technique_scores | T1078.004 | Cloud Accounts |
Comments
Protects access to applications hosted within cloud and other premises.
References
|
| resourcemanager | ResourceManager | technique_scores | T1078.004 | Cloud Accounts |
Comments
Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
References
|
| identityplatform | IdentityPlatform | technique_scores | T1078.004 | Cloud Accounts |
Comments
Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
References
|
| anthosconfigmanagement | AnthosConfigManagement | technique_scores | T1078.004 | Cloud Accounts |
Comments
Anthos Config Management lets you create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1078.004 | Cloud Accounts |
Comments
This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.
References
|
| security_command_center | Security Command Center | technique_scores | T1078.004 | Cloud Accounts |
Comments
SCC ingests Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence and harvest sensitive data. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
References
|
| advancedprotectionprogram | AdvancedProtectionProgram | technique_scores | T1078.004 | Cloud Accounts |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1078.004 | Cloud Accounts |
Comments
Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. IAM Recommender helps enforce least privilege principals to ensure that permission levels are properly managed.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1078.004 | Cloud Accounts |
|
| recaptcha_enterprise | ReCAPTCHA Enterprise | technique_scores | T1078.004 | Cloud Accounts |
Comments
ReCAPTCHA Enterprise allows users to configure Multifactor Authentication (MFA) to verify user's identity by sending a verification code by email or SMS (known as an MFA challenge). When ReCAPTCHA Enterprise assesses that user activity to exceeds a predetermined threshold (by the developer), it can trigger an MFA challenge to verify the user. This increases the likelihood that a compromised account will be prevented from impacting the system.
Since ReCAPTCHA Enterprise does not require a MFA challenge for all user activity, it has been given a rating of Partial.
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1078.004 | Cloud Accounts |
Comments
This control protects against malicious use of cloud accounts and gaining access to them. This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
References
|