T1098.001 Additional Cloud Credentials Mappings

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)

Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated. (Citation: Crowdstrike AWS User Federation Persistence)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1098.001 Additional Cloud Credentials
AC-20 Use of External Systems Protects T1098.001 Additional Cloud Credentials
AC-03 Access Enforcement Protects T1098.001 Additional Cloud Credentials
AC-04 Information Flow Enforcement Protects T1098.001 Additional Cloud Credentials
AC-05 Separation of Duties Protects T1098.001 Additional Cloud Credentials
AC-06 Least Privilege Protects T1098.001 Additional Cloud Credentials
CM-05 Access Restrictions for Change Protects T1098.001 Additional Cloud Credentials
CM-06 Configuration Settings Protects T1098.001 Additional Cloud Credentials
CM-07 Least Functionality Protects T1098.001 Additional Cloud Credentials
IA-02 Identification and Authentication (organizational Users) Protects T1098.001 Additional Cloud Credentials
IA-05 Authenticator Management Protects T1098.001 Additional Cloud Credentials
SC-46 Cross Domain Policy Enforcement Protects T1098.001 Additional Cloud Credentials
SC-07 Boundary Protection Protects T1098.001 Additional Cloud Credentials
SI-04 System Monitoring Protects T1098.001 Additional Cloud Credentials
SI-07 Software, Firmware, and Information Integrity Protects T1098.001 Additional Cloud Credentials
ME-RBAC-E3 Role Based Access Control Technique Scores T1098.001 Additional Cloud Credentials
ME-PWA-E3 Passwordless Authentication Technique Scores T1098.001 Additional Cloud Credentials
ME-PIM-E5 Privileged Identity Management Technique Scores T1098.001 Additional Cloud Credentials
ME-MFA-E3 Multi-factor Authentication Technique Scores T1098.001 Additional Cloud Credentials
ME-IP-E5 Identity Protection Technique Scores T1098.001 Additional Cloud Credentials
DEF-IR-E5 Incident Response Technique Scores T1098.001 Additional Cloud Credentials
PUR-PAM-E5 Privileged Access Management Technique Scores T1098.001 Additional Cloud Credentials