Account Manipulation: Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[4]

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[5] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[6][7]

Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).[8][9] For example, in Azure AD environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.[10]

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.[11]

ID: T1098.001
Sub-technique of:  T1098
Platforms: Azure AD, IaaS, SaaS
Contributors: Alex Soler, AttackIQ; Arad Inbar, Fidelis Security; Dylan Silva, AWS Security; Expel; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Oleg Kolesnikov, Securonix; Zur Ulianitzky, XM Cyber
Version: 2.6
Created: 19 January 2020
Last Modified: 03 October 2023

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[12]

S1091 Pacu

Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.[13]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.[14][15]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.[6]

M1030 Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

M1026 Privileged Account Management

Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

M1018 User Account Management

Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.[11]

Detection

ID Data Source Data Component Detects
DS0002 User Account User Account Modification

Monitor for unexpected changes to cloud user accounts, such as Azure Activity Logs highlighting malicious Service Principal and Application modifications.

Monitor for the use of API and CLI commands that add access keys or tokens to accounts, such as CreateAccessKey or GetFederationToken in AWS or service-accounts keys create in GCP. Also monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

References