Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1651 | Cloud Administration Command |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | mitigates | T1651 | Cloud Administration Command | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1651 | Cloud Administration Command | |
| SI-04 | System Monitoring | mitigates | T1651 | Cloud Administration Command | |
| AC-06 | Least Privilege | mitigates | T1651 | Cloud Administration Command | |
| AC-03 | Access Enforcement | mitigates | T1651 | Cloud Administration Command | |
| AC-02 | Account Management | mitigates | T1651 | Cloud Administration Command |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1651 | Cloud Administration Command |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | technique_scores | T1651 | Cloud Administration Command |
Comments
This capability can protect against unauthorized cloud administration.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_and_access_management | Identity and Access Management | technique_scores | T1651 | Cloud Administration Command |
Comments
IAM can be configured to minimize permissions to users and prevent unnecessary access to the gcloud CLI.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1651 | Cloud Administration Command |
Comments
The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
References
|
| aws_organizations | AWS Organizations | technique_scores | T1651 | Cloud Administration Command |
Comments
This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1651 | Cloud Administration Command |
Comments
AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed.
References
|