Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-05 | Authenticator Management | Protects | T1021.007 | Cloud Services | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1021.007 | Cloud Services | |
| AC-20 | Use of External Systems | Protects | T1021.007 | Cloud Services | |
| AC-03 | Access Enforcement | Protects | T1021.007 | Cloud Services | |
| AC-05 | Separation of Duties | Protects | T1021.007 | Cloud Services | |
| AC-06 | Least Privilege | Protects | T1021.007 | Cloud Services | |
| AC-02 | Account Management | Protects | T1021.007 | Cloud Services |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ME-PWA-E3 | Passwordless Authentication | Technique Scores | T1021.007 | Cloud Services |
Comments
Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app).
When combined with Conditional Access policies, use of strong two-factor for remote service accounts will mitigate an adversary's ability to leverage stolen credentials.
License Requirements:
All Microsoft Entra ID licenses
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1021.007 | Cloud Services |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|