Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1098.001 | Additional Cloud Credentials |
Comments
The Azure Sentinel Hunting "First access credential added to Application or Service Principal where no credential was present" query can identify potentially malicious changes to Service Principal credentials.
The Azure Sentinel Analytics "Credential added after admin consented to Application" and "New access credential added to Application or Service Principal" queries can identify potentially malicious manipulation of additional cloud credentials.
References
|
| role_based_access_control | Role Based Access Control | technique_scores | T1098.001 | Additional Cloud Credentials |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
| azure_policy | Azure Policy | technique_scores | T1098.001 | Additional Cloud Credentials |
Comments
This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | technique_scores | T1098.001 | Additional Cloud Credentials |
Comments
Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1098.001 | Additional Cloud Credentials |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|