T1098.001 Additional Cloud Credentials
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.765 These credentials include both x509 keys and passwords.7 With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.3
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair
or ImportKeyPair
API in AWS or the gcloud compute os-login ssh-keys add
command in GCP.4 This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.28
Adversaries may also use the CreateAccessKey
API in AWS or the gcloud iam service-accounts keys create
command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).9
In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken
API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
1
Item | Value |
---|---|
ID | T1098.001 |
Sub-techniques | T1098.001, T1098.002, T1098.003, T1098.004, T1098.005 |
Tactics | TA0003 |
Platforms | Azure AD, IaaS, SaaS |
Version | 2.5 |
Created | 19 January 2020 |
Last Modified | 04 May 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.1110 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.2 |
M1030 | Network Segmentation | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
M1026 | Privileged Account Management | Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
M1018 | User Account Management | Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.1 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0002 | User Account | User Account Modification |
References
-
Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023. ↩↩
-
A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. ↩↩
-
Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. ↩
-
Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. ↩
-
Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. ↩
-
Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. ↩↩
-
S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020. ↩
-
Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. ↩