T1098.003: Additional Cloud Roles
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion
API to define a new version of an IAM policy or the AttachUserPolicy
API to attach an IAM policy with additional or distinct permissions to a compromised user account.
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
yandex_cloud: PT-CR-1249: Yandex_Cloud_Admin_Role_Assign: A user assigned administrative access rights to a folder or cloud
yandex_cloud: PT-CR-1250: Yandex_Cloud_Cluster_Admin_Role_Assign: Rights are granted to a user
yandex_cloud: PT-CR-1262: Yandex_Cloud_Membership_Manage_Role_Assign: A user assigned rights to manage membership in IAM groups
yandex_cloud: PT-CR-1266: Yandex_Cloud_Security_Group_Manipulation: A user performed actions on a security group
Detection
ID | DS0002 | Data source and component | User Account: User Account Modification | Description | Collect usage logs from cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins. Monitor for updates to IAM policies and roles attached to user accounts. |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication for user and privileged accounts. |
---|
ID | M1018 | Name | User Account Management | Description | Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies. |
---|