Description
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
Platforms
Mitigations (3)
Privileged Account ManagementM1026
Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.(Citation: Microsoft Requests for Azure AD Roles in Privileged Identity Management)
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts.
User Account ManagementM1018
Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has assigned user access admin roles in order to gain Tenant Root Group management permissio... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has added the global admin role to accounts they have created in the targeted organization's cloud in... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has elevated their access to Azure resources using `Microsoft.Authorization/elevateAccess/action` ... |
References
- Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.
- Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
- AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.
- Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.
- Invictus Incident Response. (2024, January 31). The curious case of [email protected]. Retrieved March 19, 2024.
- Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
- Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.
Frequently Asked Questions
What is T1098.003 (Additional Cloud Roles)?
T1098.003 is a MITRE ATT&CK technique named 'Additional Cloud Roles'. It belongs to the Persistence, Privilege Escalation tactic(s). An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based...
How can T1098.003 be detected?
Detection of T1098.003 (Additional Cloud Roles) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1098.003?
There are 3 documented mitigations for T1098.003. Key mitigations include: Privileged Account Management, Multi-factor Authentication, User Account Management.
Which threat groups use T1098.003?
Known threat groups using T1098.003 include: Scattered Spider, LAPSUS$, Storm-0501.