Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
PR.IR-01.05 | Remote access protection | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
PR.AA-05.02 | Privileged system access | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication.
References
|
DE.CM-06.02 | Third-party access monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
DE.CM-03.03 | Privileged account monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
PR.AA-03.01 | Authentication requirements | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
PR.PS-01.09 | Virtualized end point protection | Mitigates | T1651 | Cloud Administration Command |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-17 | Remote Access | mitigates | T1651 | Cloud Administration Command | |
IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1651 | Cloud Administration Command | |
SI-04 | System Monitoring | mitigates | T1651 | Cloud Administration Command | |
AC-06 | Least Privilege | mitigates | T1651 | Cloud Administration Command | |
AC-03 | Access Enforcement | mitigates | T1651 | Cloud Administration Command | |
AC-02 | Account Management | mitigates | T1651 | Cloud Administration Command |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1651 | Cloud Administration Command |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | technique_scores | T1651 | Cloud Administration Command |
Comments
This capability can protect against unauthorized cloud administration.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
identity_and_access_management | Identity and Access Management | technique_scores | T1651 | Cloud Administration Command |
Comments
IAM can be configured to minimize permissions to users and prevent unnecessary access to the gcloud CLI.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1651 | Cloud Administration Command |
Comments
The "mfa-enabled-for-iam-console-access" managed rule checks whether multi-factor authentication is enabled for all AWS IAM users,vprotecting against misuse of those accounts' access to Amazon System Manager and the ability to run cloud administration commands. It is run periodically, and provides significant coverage, resulting in an overall score of Significant.
References
|
aws_organizations | AWS Organizations | technique_scores | T1651 | Cloud Administration Command |
Comments
This control may protect against cloud administration command abuse by segmenting accounts into separate organizational units and restricting Amazon Security Manager access by least privilege.
References
|
aws_security_hub | AWS Security Hub | technique_scores | T1651 | Cloud Administration Command |
Comments
AWS Security Hub controls for System Manager can be configured to prevent unauthorized Cloud Administration Commands from being executed.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
EID-CAE-E3 | Continuous Access Evaluation | Technique Scores | T1651 | Cloud Administration Command |
Comments
Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:
User Account is deleted or disabled
Password for a user is changed or reset
Multifactor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Microsoft Entra ID Protection
License Requirements:
Continuous access evaluation will be included in all versions of Microsoft 365.
References
|
DEF-SSCO-E3 | Secure Score | Technique Scores | T1651 | Cloud Administration Command |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
PUR-PAM-E5 | Privileged Access Management | Technique Scores | T1651 | Cloud Administration Command |
Comments
Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval).
License requirements: M365 E5 customers.
References
|
EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1651 | Cloud Administration Command |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1651 | Cloud Administration Command |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as Global Administrators. Configuration can include an MFA requirement, which can help limit the overall privileged accounts available and their ability to execute administration commands. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|