T1098.001 Additional Cloud Credentials Mappings

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
cloud_asset_inventory Cloud Asset Inventory technique_scores T1098.001 Additional Cloud Credentials
identity_aware_proxy Identity Aware Proxy technique_scores T1098.001 Additional Cloud Credentials
resourcemanager ResourceManager technique_scores T1098.001 Additional Cloud Credentials
identityplatform IdentityPlatform technique_scores T1098.001 Additional Cloud Credentials
chronicle Chronicle technique_scores T1098.001 Additional Cloud Credentials
security_command_center Security Command Center technique_scores T1098.001 Additional Cloud Credentials
virtual_private_cloud Virtual Private Cloud technique_scores T1098.001 Additional Cloud Credentials
policy_intelligence Policy Intelligence technique_scores T1098.001 Additional Cloud Credentials
identity_and_access_management Identity and Access Management technique_scores T1098.001 Additional Cloud Credentials