Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations)
OAuth is an open standard that allows users to authorize applications to access their information on their behalf. In a SaaS environment such as Microsoft 365 or Google Workspace, users may integrate applications to improve their workflow and achieve tasks.
Leveraging application integrations may allow adversaries to persist in an environment – for example, by granting consent to an application from a high-privileged adversary-controlled account in order to maintain access to its data, even in the event of losing access to the account.(Citation: Wiz Midnight Blizzard 2024)(Citation: Microsoft Malicious OAuth Applications 2022)(Citation: Huntress Persistence Microsoft 365 Compromise 2024) In some cases, integrations may remain valid even after the original consenting user account is disabled.(Citation: Push Security Slack Persistence 2023) Application integrations may also allow adversaries to bypass multi-factor authentication requirements through the use of Application Access Tokens. Finally, they may enable persistent Automated Exfiltration over time.(Citation: Synes Cyber Corner Malicious Azure Application 2023)
Creating or adding a new application may require the adversary to create a dedicated Cloud Account for the application and assign it Additional Cloud Roles – for example, in Microsoft 365 environments, an application can only access resources via an associated service principal.(Citation: Microsoft Entra ID Service Principals)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1671 | Cloud Application Integration |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1671 | Cloud Application Integration |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| AIS-06 | Automated Secure Application Deployment | mitigates | T1671 | Cloud Application Integration |
Comments
This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. Secure deployment templates may mitigate the ability of an adversary to deploy malicious additions and changes to applications in the SaaS environment.
References
|
| AIS-02 | Application Security Baseline Requirements | mitigates | T1671 | Cloud Application Integration |
Comments
This control guidance requires organizations to establish security baseline requirements for different cloud applications. Security requirement examples include access control, encryption, and configuration management for applications. Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends. Review integrations by restricting or limiting users' ability to carelessly add new application integrations into a SaaS environment before a unapproved or potentially malicious applications is introduced to the cloud environment.
References
|