Account Manipulation: Additional Cloud Credentials

ID Name
VT0011.001 Additional Cloud Credentials
VT0011.002 SSH Authorized Keys

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

After gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys, for instance by using the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[1] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[2][3][4]

Procedure Examples

Name Description
UNC2452

UNC2452 added credentials to OAuth Applications and Service Principals.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.

Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.

References

Attachments

ID
VT0011.001
Sub-techniques
Tactic
Persistence
Platforms
AWS
Azure
Azure AD
GCP
Permissions Required
Administrator
User
Data Sources
AWS CloudTrail logs
Azure activity logs
GCP audit logs
Stackdriver logs
Version
2.0

Created: 20 December 2020

Last Modified: 21 December 2020