1. Home
  2. ATT&CK Techniques
  3. T1021.007 Cloud Services

T1021.007 Cloud Services

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.

In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1021.007 Cloud Services
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.03 Service accounts Mitigates T1021.007 Cloud Services
    Comments
    This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts.
    References
      PR.AA-05.02 Privileged system access Mitigates T1021.007 Cloud Services
      Comments
      This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1021.007 Cloud Services
        Comments
        This diagnostic statement protects against Cloud Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.AA-02.01 Authentication of identity Mitigates T1021.007 Cloud Services
          Comments
          This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing control limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally in the cloud environment.
          References
            PR.PS-01.07 Cryptographic keys and certificates Mitigates T1021.007 Cloud Services
            Comments
            This diagnostic statement protects against Remote Services: Cloud Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes in cloud services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use cloud services.
            References
              PR.AA-03.01 Authentication requirements Mitigates T1021.007 Cloud Services
              Comments
              This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
              References
                PR.IR-01.06 Production environment segregation Mitigates T1021.007 Cloud Services
                Comments
                This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                References
                  PR.AA-01.01 Identity and credential management Mitigates T1021.007 Cloud Services
                  Comments
                  This diagnostic statement protects against Cloud Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                  References

                    NIST 800-53 Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    IA-05 Authenticator Management mitigates T1021.007 Cloud Services
                    AC-20 Use of External Systems mitigates T1021.007 Cloud Services
                    IA-02 Identification and Authentication (Organizational Users) mitigates T1021.007 Cloud Services
                    AC-03 Access Enforcement mitigates T1021.007 Cloud Services
                    AC-05 Separation of Duties mitigates T1021.007 Cloud Services
                    AC-06 Least Privilege mitigates T1021.007 Cloud Services
                    AC-02 Account Management mitigates T1021.007 Cloud Services

                    VERIS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1021.007 Cloud Services
                    action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1021.007 Cloud Services

                    Azure Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening technique_scores T1021.007 Cloud Services
                    Comments
                    This control can protect against abuse of remote cloud services.
                    References
                    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/harden-docker-hosts
                    alerts_for_linux_machines Alerts for Linux Machines technique_scores T1021.007 Cloud Services
                    Comments
                    This control can detect abuse of remote services.
                    References
                    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-linux
                    azure_network_security_groups Azure Network Security Groups technique_scores T1021.007 Cloud Services
                    Comments
                    This control can protect against abuse of remote cloud services.
                    References
                    1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
                    azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1021.007 Cloud Services
                    Comments
                    This control can detect anomalous network traffic associated with abuse of remote cloud services.
                    References
                    1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas
                    azure_policy Azure Policy technique_scores T1021.007 Cloud Services
                    Comments
                    This control can protect against abuse of remote cloud services.
                    References
                    1. https://learn.microsoft.com/en-us/azure/governance/policy/overview

                    GCP Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    cloud_identity Cloud Identity technique_scores T1021.007 Cloud Services
                    Comments
                    This control can be used to detect adversaries that may be trying to log into cloud services.
                    References
                    1. ['https://cloud.google.com/identity']

                    AWS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1021.007 Cloud Services
                    Comments
                    VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
                    References
                      aws_identity_and_access_management AWS Identity and Access Management technique_scores T1021.007 Cloud Services
                      Comments
                      AWS Identity and Access Management supports multi-factor authentication, which can mitigate an adversary's ability to use valid credentials obtained on one cloud to access another cloud service.
                      References