Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
IA-02 | Identification and Authentication (organizational Users) | Protects | T1059.009 | Cloud API | |
SI-04 | System Monitoring | Protects | T1059.009 | Cloud API | |
CM-07 | Least Functionality | Protects | T1059.009 | Cloud API | |
AC-06 | Least Privilege | Protects | T1059.009 | Cloud API | |
AC-03 | Access Enforcement | Protects | T1059.009 | Cloud API | |
AC-02 | Account Management | Protects | T1059.009 | Cloud API |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PUR-AS-E5 | Audit Solutions | Technique Scores | T1059.009 | Cloud API |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Cloud API attacks due to Audit Solutions providing the visibility to review command history and history of executed API commands in cloud audit logs to determine if unauthorized or suspicious commands were executed.
License Requirements:
Microsoft 365 E3 and E5
References
|
EOP-Antimalware-E3 | Antimalware | Technique Scores | T1059.009 | Cloud API |
Comments
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:
Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.
Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.
EOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:
Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
License Requirements: M365 E3 or Microsoft Defender for Office plan 1.
References
|
ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1059.009 | Cloud API |
Comments
The RBAC control can be used to implement the principle of least privilege to limit API functionality administrative accounts can take. This scores Partial for its ability to minimize the actions these accounts can perform.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
ME-CA-E5 | Conditional Access | Technique Scores | T1059.009 | Cloud API |
Comments
Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.
References
|
M365-DEF-ZAP-E3 | Zero Hour Auto Purge | Technique Scores | T1059.009 | Cloud API |
Comments
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.
License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.
References
|
DEF-SecScore-E3 | Secure Score | Technique Scores | T1059.009 | Cloud API |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
DEF-IR-E5 | Incident Response | Technique Scores | T1059.009 | Cloud API |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Cloud API attacks due to Incident Response monitoring for api activity security alerts which reviews cloud audit logs to determine if unauthorized or suspicious commands were executed.
License Requirements:
Microsoft Defender XDR
References
|
PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1059.009 | Cloud API |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|