An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.AA-01.02 | Physical and logical access | Mitigates | T1538 | Cloud Service Dashboard |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
PR.AA-01.01 | Identity and credential management | Mitigates | T1538 | Cloud Service Dashboard |
Comments
This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
IA-08 | Identification and Authentication (Non-Organizational Users) | mitigates | T1538 | Cloud Service Dashboard | |
IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1538 | Cloud Service Dashboard | |
AC-02 | Account Management | mitigates | T1538 | Cloud Service Dashboard | |
AC-03 | Access Enforcement | mitigates | T1538 | Cloud Service Dashboard | |
AC-05 | Separation of Duties | mitigates | T1538 | Cloud Service Dashboard | |
AC-06 | Least Privilege | mitigates | T1538 | Cloud Service Dashboard |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1538 | Cloud Service Dashboard |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_policy | Azure Policy | technique_scores | T1538 | Cloud Service Dashboard |
Comments
This control may provide recommendations to enable Azure services that limit access to Azure Resource Manager and other Azure dashboards. Several Azure services and controls provide mitigations against this technique.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1538 | Cloud Service Dashboard |
Comments
This control can be used to limit the number of users that have dashboard visibility thereby reducing the attack surface.
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1538 | Cloud Service Dashboard |
Comments
This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
policy_intelligence | Policy Intelligence | technique_scores | T1538 | Cloud Service Dashboard |
Comments
This control may limit the number of users that have privileges to discover cloud infrastructure and may limit the discovery value of the dashboard in the event of a compromised account.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1538 | Cloud Service Dashboard |
Comments
The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users that use a console password, protecting against misuse of those accounts' dashboard access. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
References
|
aws_organizations | AWS Organizations | technique_scores | T1538 | Cloud Service Dashboard |
Comments
This control may protect against cloud service dashboard abuse by segmenting accounts into separate organizational units and restricting dashboard access by least privilege.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-IR-E5 | Incident Response | Technique Scores | T1538 | Cloud Service Dashboard |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Cloud Service Dashboard attacks due to Incident Response monitoring for newly constructed logon behavior across cloud service management consoles and the aggregated alerts allowing admins to correlate security systems with login information, such as user accounts, IP addresses, and login names.
License Requirements:
Microsoft Defender XDR
References
|
EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1538 | Cloud Service Dashboard |
Comments
The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
DEF-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1538 | Cloud Service Dashboard |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Cloud Service Dashboard attacks due to the IdentityInfo and IdentityLogonEvents tables in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps and information about user accounts obtained from various services, including Microsoft Entra ID.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
DEF-APGV-E5 | App Governance | Technique Scores | T1538 | Cloud Service Dashboard |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Cloud Service Dashboard attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.
License Requirements:
Microsoft Defender for Cloud Apps
References
|