Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code> API in AWS to add a password that can be used to log into the AWS Management Console for Cloud Service Dashboard.(Citation: Permiso Scattered Spider 2023)(Citation: Lacework AI Resource Hijacking 2024) If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation: Sysdig ScarletEel 2.0) For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation)
In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials to Forge Web Credentials tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
(Citation: Crowdstrike AWS User Federation Persistence)
In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.(Citation: Mandiant APT42 Operations 2024) As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.(Citation: Microsoft Entra ID App Passwords)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-14 | Strong Authentication | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| IAM-11 | CSCs Approval for Agreed Privileged Access Roles | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-10 | Management of Privileged Access Roles | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-09 | Segregation of Privileged Access Roles | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
References
|
| I&S-09 | Network Defense | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level) to filter traffic based on security rules. Limiting access to critical systems and domain controllers can mitigate adversary use of account manipulation to maintain and/or elevate access to systems.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts.
References
|
| IAM-03 | Identity Inventory | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. For this technique, adversaries may add adversary-controlled credentials and identity to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID. In terms of mitigation, a dynamic inventory of permitted cloud identities and roles may aid in flagging the creation or addition of any unauthorized identities.
References
|
| IAM-05 | Least Privilege | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permission to add access keys to accounts. For example, in AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. In terms of mitigation, use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may add adversary-controlled credentials to a cloud account to move production data throughout the cloud environment.
In terms of mitigation, consider configuring access controls and firewalls to limit which accounts have access to production critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems from production and non-production environments.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. In terms of mitigation, Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies; Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems; Or, Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In certain cloud environments, prohibit users from calling the GetFederationToken API unless explicitly required.
References
|