T1078.004 Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)

Service or user accounts may be targeted by adversaries through Brute Force, Phishing, or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto Remote Services. High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based Software Deployment Tools to run commands on hybrid-joined devices.

An adversary may create long lasting Additional Cloud Credentials on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.

Cloud accounts may also be able to assume Temporary Elevated Cloud Access or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through Cloud API or other methods.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1078.004 Cloud Accounts
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.04 Third-party access management Mitigates T1078.004 Cloud Accounts
    Comments
    This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.
    References
      PR.PS-06.01 Secure SDLC process Mitigates T1078.004 Cloud Accounts
      Comments
      This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
      References
        PR.AA-05.02 Privileged system access Mitigates T1078.004 Cloud Accounts
        Comments
        This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication.
        References
          DE.CM-06.02 Third-party access monitoring Mitigates T1078.004 Cloud Accounts
          Comments
          This diagnostic statement protects against Cloud Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
          References
            PR.PS-01.07 Cryptographic keys and certificates Mitigates T1078.004 Cloud Accounts
            Comments
            This diagnostic statement protects against Valid Accounts: Cloud Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
            References
              DE.CM-03.03 Privileged account monitoring Mitigates T1078.004 Cloud Accounts
              Comments
              This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
              References
                PR.AA-01.02 Physical and logical access Mitigates T1078.004 Cloud Accounts
                Comments
                This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
                References
                  PR.AA-03.01 Authentication requirements Mitigates T1078.004 Cloud Accounts
                  Comments
                  This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1078.004 Cloud Accounts
                    Comments
                    This diagnostic statement protects against Cloud Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References

                      NIST 800-53 Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      CA-07 Continuous Monitoring mitigates T1078.004 Cloud Accounts
                      CM-06 Configuration Settings mitigates T1078.004 Cloud Accounts
                      CM-05 Access Restrictions for Change mitigates T1078.004 Cloud Accounts
                      IA-05 Authenticator Management mitigates T1078.004 Cloud Accounts
                      SA-10 Developer Configuration Management mitigates T1078.004 Cloud Accounts
                      IA-12 Identity Proofing mitigates T1078.004 Cloud Accounts
                      IA-13 Identity Providers and Authorization Servers mitigates T1078.004 Cloud Accounts
                      SA-15 Development Process, Standards, and Tools mitigates T1078.004 Cloud Accounts
                      SA-17 Developer Security and Privacy Architecture and Design mitigates T1078.004 Cloud Accounts
                      SA-03 System Development Life Cycle mitigates T1078.004 Cloud Accounts
                      SA-04 Acquisition Process mitigates T1078.004 Cloud Accounts
                      SC-28 Protection of Information at Rest mitigates T1078.004 Cloud Accounts
                      SC-43 Usage Restrictions mitigates T1078.004 Cloud Accounts
                      AC-20 Use of External Systems mitigates T1078.004 Cloud Accounts
                      SA-11 Developer Testing and Evaluation mitigates T1078.004 Cloud Accounts
                      SA-08 Security and Privacy Engineering Principles mitigates T1078.004 Cloud Accounts
                      IA-02 Identification and Authentication (Organizational Users) mitigates T1078.004 Cloud Accounts
                      CM-07 Least Functionality mitigates T1078.004 Cloud Accounts
                      SI-04 System Monitoring mitigates T1078.004 Cloud Accounts
                      AC-02 Account Management mitigates T1078.004 Cloud Accounts
                      AC-03 Access Enforcement mitigates T1078.004 Cloud Accounts
                      AC-05 Separation of Duties mitigates T1078.004 Cloud Accounts
                      AC-06 Least Privilege mitigates T1078.004 Cloud Accounts
                      AC-07 Unsuccessful Logon Attempts mitigates T1078.004 Cloud Accounts

                      Azure Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      defender_for_storage Microsoft Defender for Cloud: Defender for Storage technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
                      References
                      advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
                      References
                      ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
                      References
                      alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account"
                      References
                      azure_policy Azure Policy technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.
                      References
                      azure_role_based_access_control Azure Role-Based Access Control technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.
                      References

                      GCP Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      advanced_protection_program Advanced Protection Program technique_scores T1078.004 Cloud Accounts
                      Comments
                      Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
                      References
                      cloud_asset_inventory Cloud Asset Inventory technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.
                      References
                      cloud_identity Cloud Identity technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.
                      References
                      gke_enterprise GKE Enterprise technique_scores T1078.004 Cloud Accounts
                      Comments
                      GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.
                      References
                      identity_and_access_management Identity and Access Management technique_scores T1078.004 Cloud Accounts
                      Comments
                      This control protects against malicious use of cloud accounts and gaining access to them. This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
                      References
                      identity_aware_proxy Identity Aware Proxy technique_scores T1078.004 Cloud Accounts
                      Comments
                      Protects access to applications hosted within cloud and other premises.
                      References
                      identity_platform Identity Platform technique_scores T1078.004 Cloud Accounts
                      Comments
                      Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
                      References
                      policy_intelligence Policy Intelligence technique_scores T1078.004 Cloud Accounts
                      Comments
                      Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Policy Intelligence role recommendations generated by IAM Recommender help enforce least privilege principals to ensure that permission levels are properly managed.
                      References
                      recaptcha_enterprise ReCAPTCHA Enterprise technique_scores T1078.004 Cloud Accounts
                      Comments
                      ReCAPTCHA Enterprise allows users to configure Multifactor Authentication (MFA) to verify user's identity by sending a verification code by email or SMS (known as an MFA challenge). When ReCAPTCHA Enterprise assesses that user activity to exceeds a predetermined threshold (by the developer), it can trigger an MFA challenge to verify the user. This increases the likelihood that a compromised account will be prevented from impacting the system. Since ReCAPTCHA Enterprise does not require a MFA challenge for all user activity, it has been given a rating of Partial.
                      References
                      resource_manager Resource Manager technique_scores T1078.004 Cloud Accounts
                      Comments
                      Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
                      References
                      security_command_center Security Command Center technique_scores T1078.004 Cloud Accounts
                      Comments
                      SCC ingests Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence and harvest sensitive data. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.
                      References

                      AWS Mappings

                      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                      amazon_cognito Amazon Cognito technique_scores T1078.004 Cloud Accounts
                      Comments
                      Amazon Cognito has the ability to alert and block accounts where credentials were found to be compromised elsewhere (compromised credential protection). The service also detects unusual sign-in activity, such as sign-in attempts from new locations and devices and can either prompt users for additional verification or block the sign-in request. There was insufficient detail on the operation of these capabilities and therefore a conservative assessment of a Partial score has been assigned.
                      References
                        amazon_guardduty Amazon GuardDuty technique_scores T1078.004 Cloud Accounts
                        Comments
                        Listed findings above flag instances where there are indications of account compromise.
                        References
                          aws_config AWS Config technique_scores T1078.004 Cloud Accounts
                          Comments
                          The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted misuse of cloud accounts: "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and "root-account-mfa-enabled". All of these controls are run periodically. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure that appropriate AWS Identity and Access Management (IAM) policies are in place to enforce fine-grained access policies and mitigate the impact of compromised valid accounts: "iam-customer-policy-blocked-kms-actions", "iam-inline-policy-blocked-kms-actions", "iam-no-inline-policy-check", "iam-group-has-users-check", "iam-policy-blacklisted-check", "iam-policy-no-statements-with-admin-access", "iam-policy-no-statements-with-full-access", "iam-role-managed-policy-check", "iam-user-group-membership-check", "iam-user-no-policies-check", and "ec2-instance-profile-attached" are run on configuration changes. "iam-password-policy", "iam-policy-in-use", "iam-root-access-key-check", "iam-user-mfa-enabled", "iam-user-unused-credentials-check", and "mfa-enabled-for-iam-console-access" are run periodically. The "access-keys-rotated" managed rule ensures that IAM access keys are rotated at an appropriate rate. Given that these rules provide robust coverage for a variety of IAM configuration problems and most are evaluated on configuration changes, they result in an overall score of Significant.
                          References
                            aws_identity_and_access_management AWS Identity and Access Management technique_scores T1078.004 Cloud Accounts
                            Comments
                            This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.
                            References
                              aws_identity_and_access_management AWS Identity and Access Management technique_scores T1078.004 Cloud Accounts
                              Comments
                              The Access Analyzer tool may detect when an external entity has been granted access to cloud resources through use of access policies. This tool will scan upon any change to access policies or periodically within 24 hours.
                              References
                                aws_iot_device_defender AWS IoT Device Defender technique_scores T1078.004 Cloud Accounts
                                Comments
                                The following AWS IoT Device Defender audit checks can identify potentially malicious use of valid cloud credentials by AWS IoT devices, which may indicate that devices have been compromised: "CA certificate revoked but device certificates still active" ("REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API) indicates that device certificates signed using a revoked CA certificate are still active, which may indicate that devices using those certificates are controlled by an adversary if the CA certificate was revoked due to compromise. "Device certificate shared" ("DEVICE_CERTIFICATE_SHARED_CHECK" in the CLI and API), "Revoked device certificate still active" ("REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK" in the CLI and API), and "Conflicting MQTT client IDs" ("CONFLICTING_CLIENT_IDS_CHECK" in the CLI and API) can indicate that devices are in use with duplicate certificates and/or IDs and/or certificates that have been revoked due to compromise, all of which suggest that an adversary may be using clones of compromised devices to leverage their access. The following AWS IoT Device Defender cloud-side detection metrics can identify potentially malicious use of valid cloud credentials by IoT devices, which may indicate that devices have been compromised: "Source IP" ("aws:source-ip-address") values outside of expected IP address ranges may suggest that a device has been stolen. "Authorization failures" ("aws:num-authorization-failures") counts above a typical threshold may indicate that a compromised device is attempting to use its connection to AWS IoT to access resources for which it does not have access and being denied. High counts for "Disconnects" ("aws:num-disconnects"), especially in conjunction with high counts for "Connection attempts" ("aws:num-connection-attempts"), which include successful attempts, may indicate that a compromised device is connecting and disconnecting from AWS IoT using the device's associated access. Coverage factor is partial for these metrics, checks, and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.
                                References
                                  aws_iot_device_defender AWS IoT Device Defender technique_scores T1078.004 Cloud Accounts
                                  Comments
                                  The following AWS IoT Device Defender audit checks and corresponding mitigation actions can identify and in some cases resolve configuration problems that should be fixed in order to limit the potential impact of compromised accounts with access to AWS IoT resources: The "Authenticated Cognito role overly permissive" ("AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles. The "Unauthenticated Cognito role overly permissive" ("UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" in the CLI and API) audit check can identify policies which grant excessive privileges and permissions for AWS IoT actions to Amazon Cognito identity pool roles and do not require authentication, which pose a substantial risk because they can be trivially accessed. The "AWS IoT policies overly permissive" ("IOT_POLICY_OVERLY_PERMISSIVE_CHECK" in the CLI and API) audit check can identify AWS IoT policies which grant excessive privileges and permissions for AWS IoT actions and supports the "REPLACE_DEFAULT_POLICY_VERSION" mitigation action which can reduce permissions to limit potential misuse. The "Role alias allows access to unused services" ("IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK" in the CLI and API) and "Role alias overly permissive" ("IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK" in the CLI and API) audit checks can identify AWS IoT role aliases which allow connected devices to authenticate using their certificates and obtain short-lived AWS credentials from an associated IAM role which grant permissions and privileges beyond those necessary to the devices' functions and should be fixed in order to prevent further account compromise from compromised devices. Coverage factor is partial for these checks and mitigations, since they are specific to use of cloud accounts for AWS IoT access and actions, resulting in an overall score of Partial.
                                  References
                                    aws_organizations AWS Organizations technique_scores T1078.004 Cloud Accounts
                                    Comments
                                    This control may protect against malicious use of cloud accounts by implementing service control policies that define what actions an account may take. If best practices are followed, AWS accounts should only have the least amount of privileges required.
                                    References
                                      aws_security_hub AWS Security Hub technique_scores T1078.004 Cloud Accounts
                                      Comments
                                      AWS Security Hub detects suspicious activity by AWS accounts which could indicate valid accounts being leveraged by an adversary. AWS Security Hub provides these detections with the following managed insights. AWS principals with suspicious access key activity Credentials that may have leaked AWS resources with unauthorized access attempts IAM users with suspicious activity AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark and PCI-DSS security standard that, if implemented, would help towards detecting the misuse of valid accounts. AWS Security Hub provides these detections with the following checks. 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA 3.3 Ensure a log metric filter and alarm exist for usage of "root" account 3.4 Ensure a log metric filter and alarm exist for IAM policy changes 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" user By monitoring the root account, activity where accounts make unauthorized API calls, and changes to IAM permissions among other things, it may be possible to detect valid accounts that are being misused and are potentially compromised. This is scored as Significant because it reports on suspicious activity by AWS accounts.
                                      References
                                        aws_single_sign-on AWS Single Sign-On technique_scores T1078.004 Cloud Accounts
                                        Comments
                                        This control may protect against malicious use of valid accounts by implementing fine grained and least privilege access through use of permission sets (a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account). The ability to reduce the set of credentials and accounts needed for a user allows for simpler and safer access and privilege management.
                                        References