T1098.001 Additional Cloud Credentials Mappings

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1098.001 Additional Cloud Credentials
AC-20 Use of External Systems Protects T1098.001 Additional Cloud Credentials
AC-3 Access Enforcement Protects T1098.001 Additional Cloud Credentials
AC-4 Information Flow Enforcement Protects T1098.001 Additional Cloud Credentials
AC-5 Separation of Duties Protects T1098.001 Additional Cloud Credentials
AC-6 Least Privilege Protects T1098.001 Additional Cloud Credentials
CM-5 Access Restrictions for Change Protects T1098.001 Additional Cloud Credentials
CM-6 Configuration Settings Protects T1098.001 Additional Cloud Credentials
CM-7 Least Functionality Protects T1098.001 Additional Cloud Credentials
IA-2 Identification and Authentication (organizational Users) Protects T1098.001 Additional Cloud Credentials
IA-5 Authenticator Management Protects T1098.001 Additional Cloud Credentials
SC-46 Cross Domain Policy Enforcement Protects T1098.001 Additional Cloud Credentials
SC-7 Boundary Protection Protects T1098.001 Additional Cloud Credentials
SI-4 System Monitoring Protects T1098.001 Additional Cloud Credentials
SI-7 Software, Firmware, and Information Integrity Protects T1098.001 Additional Cloud Credentials
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098.001 Account Manipulation: Additional Cloud Credentials
aws_config AWS Config technique_scores T1098.001 Additional Cloud Credentials
amazon_guardduty Amazon GuardDuty technique_scores T1098.001 Additional Cloud Credentials
aws_security_hub AWS Security Hub technique_scores T1098.001 Additional Cloud Credentials
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1098.001 Additional Cloud Credentials