An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1098.003 | Additional Cloud Roles | |
| CM-05 | Access Restrictions for Change | mitigates | T1098.003 | Additional Cloud Roles | |
| IA-05 | Authenticator Management | mitigates | T1098.003 | Additional Cloud Roles | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-20 | Use of External Systems | mitigates | T1098.003 | Additional Cloud Roles | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1098.003 | Additional Cloud Roles | |
| SI-04 | System Monitoring | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-02 | Account Management | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-05 | Separation of Duties | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-03 | Access Enforcement | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-06 | Least Privilege | mitigates | T1098.003 | Additional Cloud Roles |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1098.003 | Additional Cloud Roles |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1098.003 | Additional Cloud Roles |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1098.003 | Additional Cloud Roles |
Comments
Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EID-CAE-E3 | Continuous Access Evaluation | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:
User Account is deleted or disabled
Password for a user is changed or reset
Multifactor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Microsoft Entra ID Protection
License Requirements:
Continuous access evaluation will be included in all versions of Microsoft 365.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|
| EID-PWLA-E3 | Passwordless Authentication | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app).
When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud roles, etc.).
License Requirements:
All Microsoft Entra ID licenses
References
|
| EID-IDPR-E5 | ID Protection | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard.
Risk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.
License Requirements:
Microsoft Entra ID P2
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Additional Cloud Role attacks due to Incident Response monitoring for permission alert policies which collect usage logs from cloud administrator accounts to identify unusual activity.
License Requirements:
Microsoft Defender XDR
References
|
| PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DEF-LM-E5 | Lateral Movements | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.
References
|
| EID-MFA-E3 | Multifactor Authentication | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The PIM control can notify administrators when the Global Administrator and other administrator roles are assigned to an account, allowing it to be a method of detection for Additional Cloud Roles execution. PIM supports multiple security alerts, with customizable triggers, including numeric specificity. Following Microsoft's role based access control Best Practices, assignment of Global Administrator, among other administrative roles should be uncommon, resulting in an overall low false positive rate for detecting unexpected privileged role assignments.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1098.003 | Additional Cloud Roles |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Roles. MFA can be required both when assigning these administrative roles, and/or when a user activates the role.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|