Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the Cloud API, such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).
Methods of authentication for these connections can include passwords, application access tokens, or SSH keys. These cloud native methods may, by default, allow for privileged access on the host with SYSTEM or root level access.
Adversaries may utilize these cloud native methods to directly access virtual infrastructure and pivot through an environment.(Citation: SIM Swapping and Abuse of the Microsoft Azure Serial Console) These connections typically provide direct console access to the VM rather than the execution of scripts (i.e., Cloud Administration Command).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.008 | Direct Cloud VM Connections |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.008 | Direct Cloud VM Connections |
Comments
This diagnostic statement protects against Direct Cloud VM Connections through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1021.008 | Direct Cloud VM Connections | |
| CM-05 | Access Restrictions for Change | mitigates | T1021.008 | Direct Cloud VM Connections | |
| IA-05 | Authenticator Management | mitigates | T1021.008 | Direct Cloud VM Connections | |
| AC-17 | Remote Access | mitigates | T1021.008 | Direct Cloud VM Connections | |
| AC-20 | Use of External Systems | mitigates | T1021.008 | Direct Cloud VM Connections | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1021.008 | Direct Cloud VM Connections | |
| CM-07 | Least Functionality | mitigates | T1021.008 | Direct Cloud VM Connections | |
| SI-04 | System Monitoring | mitigates | T1021.008 | Direct Cloud VM Connections | |
| AC-03 | Access Enforcement | mitigates | T1021.008 | Direct Cloud VM Connections | |
| AC-06 | Least Privilege | mitigates | T1021.008 | Direct Cloud VM Connections | |
| AC-02 | Account Management | mitigates | T1021.008 | Direct Cloud VM Connections |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1021.008 | Direct Cloud VM Connections | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1021.008 | Direct Cloud VM Connections |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
| azure_policy | Azure Policy | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_identity | Cloud Identity | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using cloud native methods such as Secure Shell (SSH).
References
|
| google_secops | Google Security Operations | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
Google Security Operations is able to detect an alert based on system events, such as remote connections.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1021.008 | Direct Cloud VM Connections |
Comments
GuardDuty findings including UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B can aid in detection of this technique.
References
|