T1098.003 Additional Cloud Roles
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.4562 With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).1 2
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify an existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. For example, in Azure AD environments, an adversary with the Application Administrator role can add Additional Cloud Credentials to their application’s service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.3
| Item | Value |
|---|---|
| ID | T1098.003 |
| Sub-techniques | T1098.001, T1098.002, T1098.003, T1098.004, T1098.005 |
| Tactics | TA0003 |
| Platforms | Azure AD, Google Workspace, IaaS, Office 365, SaaS |
| Version | 2.0 |
| Created | 19 January 2020 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 has granted company administrator privileges to a newly created service principal.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. |
| M1026 | Privileged Account Management | Ensure that all accounts use the least privileges they require. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0002 | User Account | User Account Modification |
References
-
Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022. ↩
-
Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019. ↩↩
-
Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022. ↩
-
AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022. ↩
-
Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022. ↩
-
Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩