T1538 Cloud Service Dashboard

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.AA-01.02 Physical and logical access Mitigates T1538 Cloud Service Dashboard
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
    PR.AA-01.01 Identity and credential management Mitigates T1538 Cloud Service Dashboard
    Comments
    This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
    References

      NIST 800-53 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      IA-08 Identification and Authentication (Non-Organizational Users) mitigates T1538 Cloud Service Dashboard
      IA-02 Identification and Authentication (Organizational Users) mitigates T1538 Cloud Service Dashboard
      AC-02 Account Management mitigates T1538 Cloud Service Dashboard
      AC-03 Access Enforcement mitigates T1538 Cloud Service Dashboard
      AC-05 Separation of Duties mitigates T1538 Cloud Service Dashboard
      AC-06 Least Privilege mitigates T1538 Cloud Service Dashboard

      VERIS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      action.malware.variety.In-memory (malware never stored to persistent storage) related-to T1538 Cloud Service Dashboard

      Azure Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      azure_policy Azure Policy technique_scores T1538 Cloud Service Dashboard
      Comments
      This control may provide recommendations to enable Azure services that limit access to Azure Resource Manager and other Azure dashboards. Several Azure services and controls provide mitigations against this technique.
      References
      azure_role_based_access_control Azure Role-Based Access Control technique_scores T1538 Cloud Service Dashboard
      Comments
      This control can be used to limit the number of users that have dashboard visibility thereby reducing the attack surface.
      References
      defender_for_resource_manager Microsoft Defender for Resource Manager technique_scores T1538 Cloud Service Dashboard
      Comments
      This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
      References

      GCP Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      policy_intelligence Policy Intelligence technique_scores T1538 Cloud Service Dashboard
      Comments
      This control may limit the number of users that have privileges to discover cloud infrastructure and may limit the discovery value of the dashboard in the event of a compromised account.
      References

      AWS Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      aws_config AWS Config technique_scores T1538 Cloud Service Dashboard
      Comments
      The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
      References
      aws_organizations AWS Organizations technique_scores T1538 Cloud Service Dashboard
      Comments
      This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege.
      References

      M365 Mappings

      Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
      DEF-IR-E5 Incident Response Technique Scores T1538 Cloud Service Dashboard
      Comments
      An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Cloud Service Dashboard attacks due to Incident Response monitoring for newly constructed logon behavior across cloud service management consoles and the aggregated alerts allowing admins to correlate security systems with login information, such as user accounts, IP addresses, and login names. License Requirements: Microsoft Defender XDR
      References
      EID-RBAC-E3 Role Based Access Control Technique Scores T1538 Cloud Service Dashboard
      Comments
      The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account. License Requirements: ME-ID Built-in Roles (Free)
      References
      DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1538 Cloud Service Dashboard
      Comments
      Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Cloud Service Dashboard attacks due to the IdentityInfo and IdentityLogonEvents tables in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps and information about user accounts obtained from various services, including Microsoft Entra ID. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
      References
      DEF-APGV-E5 App Governance Technique Scores T1538 Cloud Service Dashboard
      Comments
      App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization App Governance Detects Cloud Service Dashboard attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's. License Requirements: Microsoft Defender for Cloud Apps
      References