T1651 Cloud Administration Command

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1651 Cloud Administration Command
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1651 Cloud Administration Command
    Comments
    This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1651 Cloud Administration Command
      Comments
      This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        DE.CM-03.03 Privileged account monitoring Mitigates T1651 Cloud Administration Command
        Comments
        This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
        References
          PR.AA-03.01 Authentication requirements Mitigates T1651 Cloud Administration Command
          Comments
          This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
          References
            PR.PS-01.09 Virtualized end point protection Mitigates T1651 Cloud Administration Command
            Comments
            The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              AC-17 Remote Access mitigates T1651 Cloud Administration Command
              IA-02 Identification and Authentication (Organizational Users) mitigates T1651 Cloud Administration Command
              SI-04 System Monitoring mitigates T1651 Cloud Administration Command
              AC-06 Least Privilege mitigates T1651 Cloud Administration Command
              AC-03 Access Enforcement mitigates T1651 Cloud Administration Command
              AC-02 Account Management mitigates T1651 Cloud Administration Command

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1651 Cloud Administration Command

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access technique_scores T1651 Cloud Administration Command
              Comments
              This capability can protect against unauthorized cloud administration.
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              identity_and_access_management Identity and Access Management technique_scores T1651 Cloud Administration Command
              Comments
              IAM can be configured to minimize permissions to users and prevent unnecessary access to the gcloud CLI.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              aws_config AWS Config technique_scores T1651 Cloud Administration Command
              Comments
              The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
              References
              aws_organizations AWS Organizations technique_scores T1651 Cloud Administration Command
              Comments
              This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege.
              References
              aws_security_hub AWS Security Hub technique_scores T1651 Cloud Administration Command
              Comments
              AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed.
              References

              M365 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              EID-CAE-E3 Continuous Access Evaluation Technique Scores T1651 Cloud Administration Command
              Comments
              Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.
              References
              DEF-SSCO-E3 Secure Score Technique Scores T1651 Cloud Administration Command
              Comments
              Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)
              References
              PUR-PAM-E5 Privileged Access Management Technique Scores T1651 Cloud Administration Command
              Comments
              Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). License requirements: M365 E5 customers.
              References
              EID-RBAC-E3 Role Based Access Control Technique Scores T1651 Cloud Administration Command
              Comments
              The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges. License Requirements: ME-ID Built-in Roles (Free)
              References
              EID-PIM-E5 Privileged Identity Management Technique Scores T1651 Cloud Administration Command
              Comments
              The PIM control can enforce on-activation requirements for privileged roles, such as Global Administrators. Configuration can include an MFA requirement, which can help limit the overall privileged accounts available and their ability to execute administration commands. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance
              References