1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Additional Cloud Credentials

Account Manipulation: Additional Cloud Credentials

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[4]

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[5] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[6][7]

ID: T1098.001
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Azure AD, IaaS, SaaS
Contributors: Expel; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Oleg Kolesnikov, Securonix
Version: 2.3
Created: 19 January 2020
Last Modified: 19 April 2022

Procedure Examples

ID Name Description
G0016 APT29

APT29 has added credentials to OAuth Applications and Service Principals.[8][9]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.[6]
M1030 Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.
M1026 Privileged Account Management

Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0002 User Account User Account Modification

Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.

References

  1. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.
  2. Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
  3. Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.
  4. Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.
  5. Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.
  1. A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
  2. S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.
  3. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  4. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.