Account Manipulation: Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[4]

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[5] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[6][7]

Angreifer können einem Cloud-Konto vom Angreifer kontrollierte Anmeldeinformationen hinzufügen, um dauerhaften Zugriff auf Opferkonten und Instanzen innerhalb der Umgebung zu erhalten.

Angreifer können zusätzlich zu den bestehenden legitimen Anmeldedaten in Azure AD Anmeldedaten für Service Principals und Anwendungen hinzufügen.(Zitat: Microsoft SolarWinds Customer Guidance)(Zitat: Blue Cloud of Death)(Zitat: Blue Cloud of Death Video) Diese Anmeldedaten umfassen sowohl x509-Schlüssel als auch Passwörter.(Zitat: Microsoft SolarWinds Customer Guidance) Mit ausreichenden Berechtigungen gibt es eine Vielzahl von Möglichkeiten, Anmeldeinformationen hinzuzufügen, darunter das Azure-Portal, die Azure-Befehlszeilenschnittstelle und Azure- oder Azure PowerShell-Module.(Zitat: Demystifying Azure AD Service Principals)

In Infrastruktur-as-a-Service (IaaS)-Umgebungen können Angreifer, nachdem sie sich über Cloud Accounts Zugang verschafft haben, ihre eigenen SSH-Schlüssel generieren oder importieren, indem sie entweder die CreateKeyPair oder ImportKeyPair API in AWS oder den gcloud compute os-login ssh-keys add Befehl in GCP verwenden.(Zitat: GCP SSH Key Add) Dies ermöglicht einen dauerhaften Zugriff auf Instanzen innerhalb der Cloud-Umgebung ohne weitere Nutzung der kompromittierten Cloud-Konten.(Zitat: Expel IO Evil in AWS)(Zitat: Expel Behind the Scenes)

Les adversaires peuvent ajouter des informations d'identification contrôlées par les adversaires à un compte en nuage pour maintenir un accès persistant aux comptes et instances des victimes dans l'environnement.

Les adversaires peuvent ajouter des informations d'identification pour les principaux services et les applications en plus des informations d'identification légitimes existantes dans Azure AD.(Citation : Microsoft SolarWinds Customer Guidance)(Citation : Blue Cloud of Death)(Citation : Blue Cloud of Death Video) Ces informations d'identification comprennent à la fois des clés x509 et des mots de passe.(Citation : Microsoft SolarWinds Customer Guidance) Avec des autorisations suffisantes, il existe plusieurs façons d'ajouter des informations d'identification, notamment le portail Azure, l'interface de ligne de commande Azure et les modules Azure ou Azure PowerShell.(Citation : Demystifying Azure AD Service Principals)

Dans les environnements d'infrastructure en tant que service (IaaS), après avoir obtenu un accès par le biais de Cloud Accounts, les adversaires peuvent générer ou importer leurs propres clés SSH en utilisant soit l'API CreateKeyPair ou ImportKeyPair dans AWS ou la commande gcloud compute os-login ssh-keys add dans GCP.(Citation : GCP SSH Key Add) Cela permet un accès persistant aux instances dans l'environnement du cloud sans autre utilisation des comptes cloud compromis.(Citation : Expel IO Evil in AWS)(Citation : Expel Behind the Scenes)

Gli avversari possono aggiungere credenziali controllate dall'avversario ad un account cloud per mantenere un accesso persistente ad account e istanze della vittima all'interno dell'ambiente.

Gli avversari possono aggiungere credenziali per Service Principals e Applications oltre alle credenziali legittime esistenti in Azure AD.(Citazione: Microsoft SolarWinds Customer Guidance)(Citazione: Blue Cloud of Death)(Citazione: Blue Cloud of Death Video) Queste credenziali includono sia chiavi x509 che password.(Citazione: Microsoft SolarWinds Customer Guidance) Con permessi sufficienti, esistono vari modi per aggiungere credenziali tra cui il Portale Azure, l'interfaccia della linea di comando Azure e i moduli Azure o Az PowerShell.(Citazione: Demystifying Azure AD Service Principals)

Negli ambienti infrastructure-as-a-service (IaaS), dopo aver ottenuto l'accesso attraverso Cloud Accounts, gli avversari possono generare o importare le proprie chiavi SSH usando l'API CreateKeyPair o ImportKeyPair in AWS o il comando gcloud compute os-login ssh-keys add in GCP.(Citazione: GCP SSH Key Add) Questo permette un accesso persistente alle istanze all'interno dell'ambiente cloud senza un ulteriore utilizzo degli account cloud compromessi.(Citazione: Expel IO Male in AWS)(Citazione: Expel Behind the Scenes)

Login
ID: T1098.001
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Azure AD, IaaS
Permissions Required: Administrator, User
Contributors: Expel; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Oleg Kolesnikov, Securonix
Version: 2.2
Created: 19 January 2020
Last Modified: 08 March 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0016 APT29

APT29 has added credentials to OAuth Applications and Service Principals.[8]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.[6]

M1030 Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

M1026 Privileged Account Management

Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0002 User Account User Account Modification

Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.

Überwachen Sie die Azure-Aktivitätsprotokolle auf Änderungen an Dienstprinzipien und Anwendungen. Überwachen Sie die Verwendung von APIs, die SSH-Schlüssel erstellen oder importieren, insbesondere durch unerwartete Benutzer oder Konten wie das Root-Konto.

Überwachen Sie die Verwendung von Anmeldeinformationen zu ungewöhnlichen Zeiten oder für ungewöhnliche Systeme oder Dienste. Dies kann auch mit anderen verdächtigen Aktivitäten korrelieren.

Surveillez les journaux d'activité Azure pour les modifications des principaux services et des applications. Surveillez l'utilisation des API qui créent ou importent des clés SSH, en particulier par des utilisateurs ou des comptes inattendus tels que le compte root.

Surveillez l'utilisation d'informations d'identification à des moments inhabituels ou vers des systèmes ou services inhabituels. Ceci peut également être corrélé avec d'autres activités suspectes.

Monitorare i registri di attività di Azure per le modifiche di Service Principal e Application. Monitorare l'uso di API che creano o importano chiavi SSH, in particolare da parte di utenti o account inaspettati come l'account root.

Monitorare l'uso di credenziali in orari insoliti o verso sistemi o servizi insoliti. Questo può anche essere correlato ad altre attività sospette.

References