An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IAM-14 | Strong Authentication | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| IAM-11 | CSCs Approval for Agreed Privileged Access Roles | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-10 | Management of Privileged Access Roles | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-09 | Segregation of Privileged Access Roles | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-06 | User Access Provisioning | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from creating or manipulating accounts.
References
|
| IAM-04 | Separation of Duties | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools.
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. In terms of mitigation, having multi-level approval chains for creating additional roles or ensuring that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies could help catch the use of this technique.
References
|
| IAM-07 | User Access Changes and Revocation | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control focuses on the secure deprovisioning of user access by automating account removal, detecting and revoking inactive accounts. These mitigative actions reduce the risk of lingering or inappropriate access following employee termination, role changes, or security incidents.
References
|
| IAM-05 | Least Privilege | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, in terms of mitigation, ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, an adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. In terms of mitigation, use multi-factor authentication for user and privileged accounts. Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access.
References
|
| DSP-17 | Sensitive Data Protection | mitigates | T1098.003 | Additional Cloud Roles |
Comments
This control requires the Cloud Service Provider (CSP) to implement robust mitigative controls such as network segmentation and firewalling, encryption, access controls with multi-factor authentication and intrusion detection to ensure sensitive customer data is protected throughout its lifecycle.
For this technique, adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant.
In terms of mitigation, using application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources and sensitive data could mitigate this technique.
References
|