Description
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)
In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)
Platforms
Mitigations (3)
Multi-factor AuthenticationM1032
Require MFA for all delegated administrator accounts.(Citation: Microsoft Nobelium Admin Privileges)
User Account ManagementM1018
Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the “Partner Relationships” page.(Citation: Office 365 Partner Relationships)
Network SegmentationM1030
Network segmentation can be used to isolate infrastructure components that do not require broad network access.
Threat Groups (12)
| ID | Group | Context |
|---|---|---|
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.(Citation:... |
| G0007 | APT28 | Once [APT28](https://attack.mitre.org/groups/G0007) gained access to the DCCC network, the group then proceeded to use that access to compromise the D... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has compromised third party service providers to gain access to victim's environments.(Cita... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used dedicated network connections from one victim organization to gain unauthorized access... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used legitimate access granted to Managed Service Providers in order to access victims of intere... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has gained access to a contractor to pivot to the victim’s infrastructure.(Citation: therecord_redcur... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has compromised IT, cloud services, and managed services providers to gain broad access to multiple cus... |
| G1005 | POLONIUM | [POLONIUM](https://attack.mitre.org/groups/G1005) has used compromised credentials from an IT company to target downstream customers including a law f... |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has used stolen API keys and credentials associated with privilege access management (PAM), cloud app... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has accessed internet-facing identity providers such as Azure Active Directory and Okta to target spe... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has targeted IT and service providers in an effort to obtain credentials, relying largely on c... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) targeted third-party entities in trusted relationships with primary targets to ultimately achieve ... |
References
- CISA. (n.d.). APTs Targeting IT Service Provider Customers. Retrieved November 16, 2020.
- Microsoft. (n.d.). Partners: Offer delegated administration. Retrieved May 27, 2022.
Frequently Asked Questions
What is T1199 (Trusted Relationship)?
T1199 is a MITRE ATT&CK technique named 'Trusted Relationship'. It belongs to the Initial Access tactic(s). Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected...
How can T1199 be detected?
Detection of T1199 (Trusted Relationship) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1199?
There are 3 documented mitigations for T1199. Key mitigations include: Multi-factor Authentication, User Account Management, Network Segmentation.
Which threat groups use T1199?
Known threat groups using T1199 include: GOLD SOUTHFIELD, APT28, Threat Group-3390, Sandworm Team, menuPass, RedCurl, APT29, POLONIUM.