An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1098.003 | Additional Cloud Roles | |
| AC-05 | Separation of Duties | Protects | T1098.003 | Additional Cloud Roles | |
| CM-05 | Access Restrictions for Change | Protects | T1098.003 | Additional Cloud Roles | |
| CM-06 | Configuration Settings | Protects | T1098.003 | Additional Cloud Roles | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1098.003 | Additional Cloud Roles | |
| IA-05 | Authenticator Management | Protects | T1098.003 | Additional Cloud Roles | |
| SI-04 | System Monitoring | Protects | T1098.003 | Additional Cloud Roles | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1098.003 | Additional Cloud Roles | |
| AC-20 | Use of External Systems | Protects | T1098.003 | Additional Cloud Roles | |
| AC-03 | Access Enforcement | Protects | T1098.003 | Additional Cloud Roles | |
| AC-06 | Least Privilege | Protects | T1098.003 | Additional Cloud Roles |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-PWA-E3 | Passwordless Authentication | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app).
When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud roles, etc.).
License Requirements:
All Microsoft Entra ID licenses
References
|
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The PIM control can notify administrators when the Global Administrator and other administrator roles are assigned to an account, allowing it to be a method of detection for Additional Cloud Roles execution. PIM supports multiple security alerts, with customizable triggers, including numeric specificity. Following Microsoft's role based access control Best Practices, assignment of Global Administrator, among other administrative roles should be uncommon, resulting in an overall low false positive rate for detecting unexpected privileged role assignments.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Roles. MFA can be required both when assigning these administrative roles, and/or when a user activates the role.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
| ME-MFA-E3 | Multi-factor Authentication | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.
References
|
| ME-IP-E5 | Identity Protection | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard.
Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.
License Requirements:
Microsoft Entra ID P2
References
|
| ME-CAE-E3 | Conditional Access Evaluation | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:
User Account is deleted or disabled
Password for a user is changed or reset
Multifactor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Microsoft Entra ID Protection
License Requirements:
Continuous access evaluation will be included in all versions of Microsoft 365.
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Additional Cloud Role attacks due to Incident Response monitoring for permission alert policies which collect usage logs from cloud administrator accounts to identify unusual activity.
License Requirements:
Microsoft Defender XDR
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|