Description
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Execution PreventionM1038
Use application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources.
Privileged Account ManagementM1026
Use of proper Identity and Access Management (IAM) with Role Based Access Control (RBAC) policies to limit actions administrators can perform and provide a history of administrative actions to detect unauthorized use and abuse.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments.(Cit... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos T... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. Th... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has leveraged Cloud CLI in order to enumerate and gather credentials.(Citation: Github TruffleSe... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) leverages the AWS CLI for its operations.(Citation: GitHub Pacu) |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1059.009 (Cloud API)?
T1059.009 is a MITRE ATT&CK technique named 'Cloud API'. It belongs to the Execution tactic(s). Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all...
How can T1059.009 be detected?
Detection of T1059.009 (Cloud API) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.009?
There are 2 documented mitigations for T1059.009. Key mitigations include: Execution Prevention, Privileged Account Management.
Which threat groups use T1059.009?
Known threat groups using T1059.009 include: Storm-0501, TeamTNT, APT29.