Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1651 | Cloud Administration Command | |
aws_config | AWS Config | technique_scores | T1651 | Cloud Administration Command |
Comments
The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
References
|
aws_organizations | AWS Organizations | technique_scores | T1651 | Cloud Administration Command |
Comments
This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege.
References
|
aws_security_hub | AWS Security Hub | technique_scores | T1651 | Cloud Administration Command |
Comments
AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed.
References
|