Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
IA-02 | Identification and Authentication (organizational Users) | Protects | T1059.009 | Cloud API |
SI-04 | System Monitoring | Protects | T1059.009 | Cloud API |
CM-07 | Least Functionality | Protects | T1059.009 | Cloud API |
AC-06 | Least Privilege | Protects | T1059.009 | Cloud API |
AC-03 | Access Enforcement | Protects | T1059.009 | Cloud API |
AC-02 | Account Management | Protects | T1059.009 | Cloud API |
PUR-AS-E5 | Audit Solutions | Technique Scores | T1059.009 | Cloud API |
EOP-Antimalware-E3 | Antimalware | Technique Scores | T1059.009 | Cloud API |
ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1059.009 | Cloud API |
ME-CA-E5 | Conditional Access | Technique Scores | T1059.009 | Cloud API |
M365-DEF-ZAP-E3 | Zero Hour Auto Purge | Technique Scores | T1059.009 | Cloud API |
DEF-SecScore-E3 | Secure Score | Technique Scores | T1059.009 | Cloud API |
DEF-IR-E5 | Incident Response | Technique Scores | T1059.009 | Cloud API |
PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1059.009 | Cloud API |