Create Account: Облачная учетная запись
Other sub-techniques of Create Account (3)
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Примеры процедур |
|
| Название | Описание |
|---|---|
| APT29 |
APT29 can create new users through Azure AD.(Citation: MSTIC Nobelium Oct 2021) |
| LAPSUS$ |
LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.(Citation: MSTIC DEV-0537 Mar 2022) |
| AADInternals |
AADInternals can create new Azure AD users.(Citation: AADInternals Documentation) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
| Multi-factor Authentication |
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
| Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.
Ссылки
- Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
- Microsoft. (2019, November 11). Add or delete users using Azure Active Directory. Retrieved January 30, 2020.
- Google. (n.d.). Create Cloud Identity user accounts. Retrieved January 29, 2020.
- AWS. (n.d.). Creating an IAM User in Your AWS Account. Retrieved January 29, 2020.
- Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
Связанные риски
| Риск | Связи | |
|---|---|---|
|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Windows
Повышение привилегий
НСД
|
|
|
|
Закрепление злоумышленника в ОС из-за
возможности создания учетной записи в ОС Linux
Повышение привилегий
НСД
|
1
|
|
|
Закрепление злоумышленника в домене из-за
возможности создания учетной записи в доменных службах Active Directory
Повышение привилегий
Целостность
НСД
|
|
|
|
Закрепление злоумышленника в облачной инфраструктуре из-за
возможности создания учетной записи в облачном сервисе
НСД
|
|
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.