1. Home
  2. ATT&CK Techniques
  3. T1059.009 Cloud API

T1059.009 Cloud API

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as Python.

Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.

With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-05.02 Privileged system access Mitigates T1059.009 Cloud API
Comments
This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication.
References
    DE.CM-06.02 Third-party access monitoring Mitigates T1059.009 Cloud API
    Comments
    This diagnostic statement protects against Cloud API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
    References
      PR.IR-01.06 Production environment segregation Mitigates T1059.009 Cloud API
      Comments
      This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        IA-02 Identification and Authentication (Organizational Users) mitigates T1059.009 Cloud API
        CM-07 Least Functionality mitigates T1059.009 Cloud API
        SI-04 System Monitoring mitigates T1059.009 Cloud API
        AC-06 Least Privilege mitigates T1059.009 Cloud API
        AC-03 Access Enforcement mitigates T1059.009 Cloud API
        AC-02 Account Management mitigates T1059.009 Cloud API

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.009 Cloud API
        action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.009 Cloud API
        action.hacking.vector.Command shell Remote shell related-to T1059.009 Cloud API

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059.009 Cloud API
        Comments
        This control can detect supicious usage of commands and scripts.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
        2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
        defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs technique_scores T1059.009 Cloud API
        Comments
        This control can detect when anomalous parameters are passed to a cloud API that could indicate abuse of a command and scripting interpreter.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-defender-for-apis

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        google_secops Google Security Operations technique_scores T1059.009 Cloud API
        Comments
        Google Security Ops is able to trigger an alert based on system events of interest, for example: suspicious Entra ID login access and usage. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
        References
        1. ['https://cloud.google.com/security/products/security-operations'
        2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
        3. 'https://github.com/chronicle/detection-rules']

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        amazon_guardduty Amazon GuardDuty technique_scores T1059.009 Cloud API
        Comments
        The GuardDuty finding Impact:IAMUser/AnomalousBehavior can aid in the detection of abuse of AWS APIs.
        References
        1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior