Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AIS-08 | API Security | mitigates | T1059.009 | Cloud API |
Comments
This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent adversaries from abusing cloud APIs to execute malicious commands.
References
|
| IAM-16 | Authorization Mechanisms | mitigates | T1059.009 | Cloud API |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1059.009 | Cloud API |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control and disabling or removing any unnecessary or unused shells or interpreters can mitigate adversary use of cloud APIs to execute malicious commands.
References
|
| UEM-05 | Endpoint Management | mitigates | T1059.009 | Cloud API |
Comments
This control provides for the implementation of best practices for endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1059.009 | Cloud API |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1059.009 | Cloud API |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant.
In terms of mitigation, using application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources and sensitive data could mitigate this technique.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1059.009 | Cloud API |
Comments
This control provides for the implementation of best practices for third-party endpoint management. The execution of unauthorized or malicious code on systems through abuse of command and script interpreters can be prevented by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1059.009 | Cloud API |
Comments
The control describes multiple testing approaches with automated tools to identify vulnerabilities from development through production. The control outlines testing for injection attacks, session hijacking, and aligning with industry standards like OWASP Top 10 to ensure applications are secure. With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions.
References
|