|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
Description: Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.
Current version: 1.0
Description: Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)
Current version: 1.0
Description: Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
For example, publicly available scripts such as New-GPOImmediateTask
can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)
Current version: 1.0
Description: An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter
value of the conditions ...
element in a token. This value can be changed using the AccessTokenLifetime
in a LifetimeTokenPolicy
.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)
An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.
An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)
Current version: 1.0
Description: Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access. Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values. Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)
Current version: 2.0
Version changed from: 1.1 → 2.0
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may modify Group Policy Objects (GPOs) to subver | t | 1 | Adversaries may modify the configuration settings of a domai |
> | t the intended discretionary access controls for a domain, u | > | n to evade defenses and/or escalate privileges in domain env | ||
> | sually with the intention of escalating privileges on the do | > | ironments. Domains provide a centralized means of managing h | ||
> | main. Group policy allows for centralized management of user | > | ow computer resources (ex: computers, user accounts) can act | ||
> | and computer settings in Active Directory (AD). GPOs are co | > | , and interact with each other, on a network. The policy of | ||
> | ntainers for group policy settings made up of files stored w | > | the domain also includes configuration settings that may app | ||
> | ithin a predicable network path <code>\\<DOMAIN>\SYSVO | > | ly between domains in a multi-domain/forest environment. Mod | ||
> | L\<DOMAIN>\Policies\</code>.(Citation: TechNet Group P | > | ifications to domain settings may include altering domain Gr | ||
> | olicy Basics)(Citation: ADSecurity GPO Persistence 2016) L | > | oup Policy Objects (GPOs) or changing trust settings for dom | ||
> | ike other objects in AD, GPOs have access controls associate | > | ains, including federation trusts. With sufficient permissi | ||
> | d with them. By default all user accounts in the domain have | > | ons, adversaries can modify domain policy settings. Since do | ||
> | permission to read GPOs. It is possible to delegate GPO acc | > | main configuration settings control many of the interactions | ||
> | ess control permissions, e.g. write access, to specific user | > | within the Active Directory (AD) environment, there are a g | ||
> | s or groups in the domain. Malicious GPO modifications can | > | reat number of potential attacks that can stem from this abu | ||
> | be used to implement many other malicious behaviors such as | > | se. Examples of such abuse include modifying GPOs to push a | ||
> | [Scheduled Task/Job](https://attack.mitre.org/techniques/T10 | > | malicious [Scheduled Task](https://attack.mitre.org/techniqu | ||
> | 53), [Disable or Modify Tools](https://attack.mitre.org/tech | > | es/T1053/005) to computers throughout the domain environment | ||
> | niques/T1562/001), [Ingress Tool Transfer](https://attack.mi | > | (Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 | ||
> | tre.org/techniques/T1105), [Create Account](https://attack.m | > | Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or | ||
> | itre.org/techniques/T1136), [Service Execution](https://atta | > | modifying domain trusts to include an adversary controlled | ||
> | ck.mitre.org/techniques/T1035), and more.(Citation: ADSecur | > | domain where they can control access tokens that will subseq | ||
> | ity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Cit | > | uently be accepted by victim domain resources.(Citation: Mic | ||
> | ation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M | > | rosoft - Customer Guidance on Recent Nation-State Cyber Atta | ||
> | Trends 2016)(Citation: Microsoft Hacking Team Breach) Since | > | cks) Adversaries can also change configuration settings with | ||
> | GPOs can control so many user and machine settings in the A | > | in the AD environment to implement a [Rogue Domain Controlle | ||
> | D environment, there are a great number of potential attacks | > | r](https://attack.mitre.org/techniques/T1207). Adversaries | ||
> | that can stem from this GPO abuse.(Citation: Wald0 Guide to | > | may temporarily modify domain policy, carry out a malicious | ||
> | GPOs) For example, publicly available scripts such as <cod | > | action(s), and then revert the change to remove suspicious i | ||
> | e>New-GPOImmediateTask</code> can be leveraged to automate t | > | ndicators. | ||
> | he creation of a malicious [Scheduled Task/Job](https://atta | ||||
> | ck.mitre.org/techniques/T1053) by modifying GPO settings, in | ||||
> | this case modifying <code><GPO_PATH>\Machine\Preferen | ||||
> | ces\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: Wald | ||||
> | 0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) | ||||
> | In some cases an adversary might modify specific user rights | ||||
> | like SeEnableDelegationPrivilege, set in <code><GPO_PATH | ||||
> | >\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</code> | ||||
> | , to achieve a subtle AD backdoor with complete control of t | ||||
> | he domain because the user account under the adversary's con | ||||
> | trol would then be able to modify GPOs.(Citation: Harmj0y Se | ||||
> | EnableDelegationPrivilege Right) |
New Mitigations:
Dropped Mitigations:
STIX Field | Old value | New Value |
---|---|---|
x_mitre_contributors | ['Itamar Mizrahi, Cymptom', 'Tristan Bennett, Seamless Intelligence'] |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-03-26 21:17:41.231000+00:00 | 2021-01-11 19:48:37.680000+00:00 |
name | Group Policy Modification | Domain Policy Modification |
description | Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ .(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.
Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)
For example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml .(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf , to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)
| Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts. With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators. |
external_references[1]['source_name'] | TechNet Group Policy Basics | ADSecurity GPO Persistence 2016 |
external_references[1]['description'] | srachui. (2012, February 13). Group Policy Basics – Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019. | Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. |
external_references[1]['url'] | https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/ | https://adsecurity.org/?p=2716 |
external_references[2]['source_name'] | ADSecurity GPO Persistence 2016 | Wald0 Guide to GPOs |
external_references[2]['description'] | Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. | Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. |
external_references[2]['url'] | https://adsecurity.org/?p=2716 | https://wald0.com/?p=179 |
external_references[3]['source_name'] | Wald0 Guide to GPOs | Harmj0y Abusing GPO Permissions |
external_references[3]['description'] | Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019. |
external_references[3]['url'] | https://wald0.com/?p=179 | http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ |
external_references[4]['source_name'] | Harmj0y Abusing GPO Permissions | Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks |
external_references[4]['description'] | Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019. | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. |
external_references[4]['url'] | http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/ | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ |
external_references[5]['source_name'] | Mandiant M Trends 2016 | Microsoft - Azure Sentinel ADFSDomainTrustMods |
external_references[5]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. |
external_references[5]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml |
external_references[6]['source_name'] | Microsoft Hacking Team Breach | Microsoft 365 Defender Solorigate |
external_references[6]['description'] | Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019. | Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. |
external_references[6]['url'] | https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/ | https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/ |
external_references[7]['source_name'] | Harmj0y SeEnableDelegationPrivilege Right | Sygnia Golden SAML |
external_references[7]['description'] | Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved March 5, 2019. | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. |
external_references[7]['url'] | http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ | https://www.sygnia.co/golden-saml-advisory |
x_mitre_detection | It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including: * Event ID 5136 - A directory service object was modified * Event ID 5137 - A directory service object was created * Event ID 5138 - A directory service object was undeleted * Event ID 5139 - A directory service object was moved * Event ID 5141 - A directory service object was deleted GPO abuse will often be accompanied by some other behavior such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704). | It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication .(Citation: Microsoft - Azure Sentinel ADFSDomainTrustMods)(Citation: Microsoft 365 Defender Solorigate) This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.(Citation: Sygnia Golden SAML)(Citation: CISA SolarWinds Cloud Detection)
Consider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.(Citation: Microsoft - Update or Repair Federated domain) Some domain policy modifications, such as changes to federation settings, are likely to be rare.(Citation: Microsoft 365 Defender Solorigate) |
x_mitre_version | 1.1 | 2.0 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'CISA SolarWinds Cloud Detection', 'description': 'CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.', 'url': 'https://us-cert.cisa.gov/ncas/alerts/aa21-008a'} | |
external_references | {'source_name': 'Microsoft - Update or Repair Federated domain', 'description': 'Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.', 'url': 'https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365'} | |
x_mitre_data_sources | PowerShell logs | |
x_mitre_data_sources | Process command-line parameters | |
x_mitre_data_sources | Process monitoring | |
x_mitre_data_sources | Azure activity logs | |
x_mitre_platforms | Azure AD |
Current version: 2.1
Version changed from: 2.0 → 2.1
Old Description | New Description | ||||
---|---|---|---|---|---|
t | 1 | Adversaries may add adversary-controlled credentials to a cl | t | 1 | Adversaries may add adversary-controlled credentials to a cl |
> | oud account to maintain persistent access to victim accounts | > | oud account to maintain persistent access to victim accounts | ||
> | and instances within the environment. Adversaries may add | > | and instances within the environment. Adversaries may add | ||
> | credentials for Azure Service Principals in addition to exis | > | credentials for Service Principals and Applications in addit | ||
> | ting legitimate credentials(Citation: Create Azure Service P | > | ion to existing legitimate credentials in Azure AD.(Citation | ||
> | rincipal) to victim Azure accounts.(Citation: Blue Cloud of | > | : Microsoft SolarWinds Customer Guidance)(Citation: Blue Clo | ||
> | Death)(Citation: Blue Cloud of Death Video) Azure Service Pr | > | ud of Death)(Citation: Blue Cloud of Death Video) These cred | ||
> | incipals support both password and certificate credentials.( | > | entials include both x509 keys and passwords.(Citation: Micr | ||
> | Citation: Why AAD Service Principals) With sufficient permis | > | osoft SolarWinds Customer Guidance) With sufficient permissi | ||
> | sions, there are a variety of ways to add credentials includ | > | ons, there are a variety of ways to add credentials includin | ||
> | ing the Azure Portal, Azure command line interface, and Azur | > | g the Azure Portal, Azure command line interface, and Azure | ||
> | e or Az [PowerShell](https://attack.mitre.org/techniques/T10 | > | or Az PowerShell modules.(Citation: Demystifying Azure AD Se | ||
> | 59/001) modules.(Citation: Demystifying Azure AD Service Pri | > | rvice Principals) In infrastructure-as-a-service (IaaS) env | ||
> | ncipals) After gaining access through [Cloud Accounts](http | > | ironments, after gaining access through [Cloud Accounts](htt | ||
> | s://attack.mitre.org/techniques/T1078/004), adversaries may | > | ps://attack.mitre.org/techniques/T1078/004), adversaries may | ||
> | generate or import their own SSH keys using either the <code | > | generate or import their own SSH keys using either the <cod | ||
> | >CreateKeyPair</code> or <code>ImportKeyPair</code> API in A | > | e>CreateKeyPair</code> or <code>ImportKeyPair</code> API in | ||
> | WS or the <code>gcloud compute os-login ssh-keys add</code> | > | AWS or the <code>gcloud compute os-login ssh-keys add</code> | ||
> | command in GCP.(Citation: GCP SSH Key Add) This allows persi | > | command in GCP.(Citation: GCP SSH Key Add) This allows pers | ||
> | stent access to instances within the cloud environment witho | > | istent access to instances within the cloud environment with | ||
> | ut further usage of the compromised cloud accounts.(Citation | > | out further usage of the compromised cloud accounts.(Citatio | ||
> | : Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) | > | n: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) |
STIX Field | Old value | New Value |
---|---|---|
modified | 2020-10-05 16:43:27.024000+00:00 | 2020-12-18 14:57:07.625000+00:00 |
description | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)
After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) |
external_references[1]['source_name'] | Create Azure Service Principal | Microsoft SolarWinds Customer Guidance |
external_references[1]['description'] | Microsoft. (2020, January 8). Create an Azure service principal with Azure CLI. Retrieved January 19, 2020. | MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020. |
external_references[1]['url'] | https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?toc=%2Fazure%2Fazure-resource-manager%2Ftoc.json&view=azure-cli-latest | https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ |
external_references[4]['source_name'] | Why AAD Service Principals | Demystifying Azure AD Service Principals |
external_references[4]['description'] | Microsoft. (2019, September 23). Azure Superpowers Lab Manual. Retrieved January 19, 2020. | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. |
external_references[4]['url'] | https://github.com/microsoft/AzureSuperpowers/blob/master/docs/AzureSuperpowers.md#why-aad-service-principals | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ |
external_references[5]['source_name'] | Demystifying Azure AD Service Principals | GCP SSH Key Add |
external_references[5]['description'] | Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. |
external_references[5]['url'] | https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add |
external_references[6]['source_name'] | GCP SSH Key Add | Expel IO Evil in AWS |
external_references[6]['description'] | Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020. | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
external_references[6]['url'] | https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add | https://expel.io/blog/finding-evil-in-aws/ |
external_references[7]['source_name'] | Expel IO Evil in AWS | Expel Behind the Scenes |
external_references[7]['description'] | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020. |
external_references[7]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ |
x_mitre_detection | Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. | Monitor Azure Activity Logs for Service Principal and Application modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. |
x_mitre_version | 2.0 | 2.1 |
STIX Field | Old value | New Value |
---|---|---|
external_references | {'source_name': 'Expel Behind the Scenes', 'description': 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.', 'url': 'https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/'} |
Current version: 1.0
Description: [AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
Current version: 1.0
Description: [BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)
Current version: 1.0
Description: [Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [UNC2452](https://attack.mitre.org/groups/G0118) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Current version: 1.0
Description: [Sunburst](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [UNC2452](https://attack.mitre.org/groups/G0118) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Current version: 1.0
Description: [Sunspot](https://attack.mitre.org/software/S0562) is an implant that injected the [Sunburst](https://attack.mitre.org/software/S0559) backdoor into the SolarWinds Orion software update framework. It was used by [UNC2452](https://attack.mitre.org/groups/G0118) since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)
Current version: 1.0
Description: [Teardrop](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [UNC2452](https://attack.mitre.org/groups/G0118) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)
Current version: 1.0
Description: [UNC2452](https://attack.mitre.org/groups/G0118) is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)