Account Manipulation: Добавление роли глобального администратора Office 365
Other sub-techniques of Account Manipulation (7)
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)
(Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion
API to define a new version of an IAM policy or the AttachUserPolicy
API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
Примеры процедур |
|
Название | Описание |
---|---|
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022) |
|
During the SolarWinds Compromise, APT29 granted `company administrator` privileges to a newly created service principle.(Citation: CrowdStrike StellarParticle January 2022) |
|
Scattered Spider |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.(Citation: MSTIC Octo Tempest Operations October 2023) |
LAPSUS$ |
LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.(Citation: MSTIC DEV-0537 Mar 2022) |
APT29 |
APT29 has granted `company administrator` privileges to a newly created service principal.(Citation: CrowdStrike StellarParticle January 2022) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Collect activity logs from IAM services and cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.
Ссылки
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.
- Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
- Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.
- Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.
- AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.
- Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
- Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.
- Microsoft. (2023, January 30). Approve or deny requests for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.
- Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.