An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1098.003 | Additional Cloud Roles | |
| CM-05 | Access Restrictions for Change | mitigates | T1098.003 | Additional Cloud Roles | |
| IA-05 | Authenticator Management | mitigates | T1098.003 | Additional Cloud Roles | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-20 | Use of External Systems | mitigates | T1098.003 | Additional Cloud Roles | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1098.003 | Additional Cloud Roles | |
| SI-04 | System Monitoring | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-02 | Account Management | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-05 | Separation of Duties | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-03 | Access Enforcement | mitigates | T1098.003 | Additional Cloud Roles | |
| AC-06 | Least Privilege | mitigates | T1098.003 | Additional Cloud Roles |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.integrity.variety.Modify privileges | Modified privileges or permissions | related-to | T1098.003 | Additional Cloud Roles |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1098.003 | Additional Cloud Roles |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1098.003 | Additional Cloud Roles |
Comments
Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.
References
|