T1098.003 Additional Cloud Roles Mappings

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1098.003 Additional Cloud Roles
AC-05 Separation of Duties Protects T1098.003 Additional Cloud Roles
CM-05 Access Restrictions for Change Protects T1098.003 Additional Cloud Roles
CM-06 Configuration Settings Protects T1098.003 Additional Cloud Roles
IA-02 Identification and Authentication (organizational Users) Protects T1098.003 Additional Cloud Roles
IA-05 Authenticator Management Protects T1098.003 Additional Cloud Roles
SI-04 System Monitoring Protects T1098.003 Additional Cloud Roles
SI-07 Software, Firmware, and Information Integrity Protects T1098.003 Additional Cloud Roles
AC-20 Use of External Systems Protects T1098.003 Additional Cloud Roles
AC-03 Access Enforcement Protects T1098.003 Additional Cloud Roles
AC-06 Least Privilege Protects T1098.003 Additional Cloud Roles
ME-RBAC-E3 Role Based Access Control Technique Scores T1098.003 Additional Cloud Roles
ME-PWA-E3 Passwordless Authentication Technique Scores T1098.003 Additional Cloud Roles
ME-PIM-E5 Privileged Identity Management Technique Scores T1098.003 Additional Cloud Roles
ME-PIM-E5 Privileged Identity Management Technique Scores T1098.003 Additional Cloud Roles
ME-MFA-E3 Multi-factor Authentication Technique Scores T1098.003 Additional Cloud Roles
ME-IP-E5 Identity Protection Technique Scores T1098.003 Additional Cloud Roles
ME-CAE-E3 Conditional Access Evaluation Technique Scores T1098.003 Additional Cloud Roles
DEF-LM-E5 Lateral Movements Technique Scores T1098.003 Additional Cloud Roles
DEF-IR-E5 Incident Response Technique Scores T1098.003 Additional Cloud Roles
PUR-PAM-E5 Privileged Access Management Technique Scores T1098.003 Additional Cloud Roles