Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1651 | Cloud Administration Command |
| SI-04 | System Monitoring | Protects | T1651 | Cloud Administration Command |
| AC-17 | Remote Access | Protects | T1651 | Cloud Administration Command |
| AC-06 | Least Privilege | Protects | T1651 | Cloud Administration Command |
| AC-03 | Access Enforcement | Protects | T1651 | Cloud Administration Command |
| AC-02 | Account Management | Protects | T1651 | Cloud Administration Command |
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1651 | Cloud Administration Command |
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1651 | Cloud Administration Command |
| ME-CAE-E3 | Conditional Access Evaluation | Technique Scores | T1651 | Cloud Administration Command |
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1651 | Cloud Administration Command |
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1651 | Cloud Administration Command |