Description
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
Platforms
Mitigations (1)
Privileged Account ManagementM1026
Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.(Citation: Man
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.(Cit... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has abused built-in remote wipe or factory reset commands to wipe devices managed within an or... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can execute commands on Azure virtual machines using the VM agent.(Citation: AADInternals Root... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can run commands on EC2 instances using AWS Systems Manager Run Command.(Citation: GitHub Pacu) |
References
- AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March 13, 2023.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- Microsoft. (2023, March 10). Run scripts in your VM by using Run Command. Retrieved March 13, 2023.
Frequently Asked Questions
What is T1651 (Cloud Administration Command)?
T1651 is a MITRE ATT&CK technique named 'Cloud Administration Command'. It belongs to the Execution tactic(s). Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts i...
How can T1651 be detected?
Detection of T1651 (Cloud Administration Command) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1651?
There are 1 documented mitigations for T1651. Key mitigations include: Privileged Account Management.
Which threat groups use T1651?
Known threat groups using T1651 include: APT29, VOID MANTICORE.