T1098.001 Additional Cloud Credentials
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.654 These credentials include both x509 keys and passwords.6 With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.2
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.3 This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.17
| Item | Value |
|---|---|
| ID | T1098.001 |
| Sub-techniques | T1098.001, T1098.002, T1098.003, T1098.004, T1098.005 |
| Tactics | TA0003 |
| Platforms | Azure AD, IaaS, SaaS |
| Version | 2.3 |
| Created | 19 January 2020 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 has added credentials to OAuth Applications and Service Principals.89 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.1 |
| M1030 | Network Segmentation | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| M1026 | Privileged Account Management | Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification |
| DS0002 | User Account | User Account Modification |
References
-
A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. ↩↩
-
Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. ↩
-
Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. ↩
-
Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019. ↩
-
Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. ↩↩
-
S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020. ↩
-
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩