Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1651 | Cloud Administration Command |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IPY-03 | Secure Interoperability and Portability Management | mitigates | T1651 | Cloud Administration Command |
Comments
This control requires the CSP to encrypt communications using industry-standard protocols, securely manage API certificates and keys, and monitor/patch for vulnerabilities. The guidance for CSC requires it to classify API data, encrypt sensitive information during import/export, use secure protocols, and manage encryption keys independently to mitigate risks of data tampering, loss, or unauthorized access.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1651 | Cloud Administration Command |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|