3 mins to read
MITRE ATT&CK Stage: Defensive Evasion
This blog is the fifth publication in a series exploring the most powerful cloud permissions and how they map to the MITRE ATT&CK Framework. If you have not yet read the first blog on the Initial Access stage, you can find it here and follow along the series.
–
A lot of activity in the cloud is traceable. Most organizations know it is best practice to enable logging and security tools to help in auditing or protection practices. However, there are a few actions one can take to disable these processes or cover their tracks.
Once an attacker is in your cloud, they are looking to stay there undetected for as long as they can. The following permissions are examples of sensitive actions that could be used to evade detection.
Powerful Permissions in AWS
Permission: PutLifecyclePolicy
Service: Elastic Container Registry (ECR)
Context: This permission allows one to create or update a lifecycle policy on a specified repository. ECR lifecycle policies allow control over lifecycle management of images in private repositories by defining when images should expire.
So What?
If a bad actor were to create an ECR image, with this permission in hand, they could create a policy that sets their desired expiration criteria for the image – allowing them to auto clean up after themselves.
Alternatively, an employee with this permission could accidentally misconfigure a policy, resulting in deleting golden images or other images your team does not want to lose.
Powerful Permissions in Azure
Permission: Microsoft.Automanage/configurationProfileAssignments/Delete
Service: Automanage for Virtual Machines
Context: Automanage allows you to create custom profiles for flexibility in settings. This permission allows one to delete configuration profile assignments on compute instances.
So What?
With this permission in hand, a bad actor could delete the configuration profile assignment for any given Virtual Machine and disable any antimalware. With antimalware disabled, the bad actor could execute their own malware payloads undetected. Deleting the profile assignment can also remove drift detection capabilities that were put in place.
Perhaps an employee ended up with this permission – they could accidentally or without knowing the consequences, delete a profile and disable integral backups on a production workload.
Powerful Permissions in GCP
Permission: logging.exclusions.create
Service: Logging
Context: This permission allows creating log exclusions in Google Cloud, which specify what log data should not be collected.
So What?
What’s better for a malicious actor than the ability to disable logging? A bad actor can exclude the identity or resources they’re using in their attack from logging, making catching them far more challenging.
In the case of an internal threat – perhaps an employee with this permission could make exclusions in billing logs for their desired resources to evade getting in trouble.
With some entries excluded from logs, troubleshooting any sort of error is extremely difficult for the organization.
Permission: securitycenter.muteconfigs.create
Service: Security Center
Context: This permission allows creating mute configurations in Security Center, which can suppress specified security findings.
So What?
With this permission, an attacker can mute security findings for resources or files they’re using to evade detection – this doesn’t mean the finding doesn’t exist, it’s just muted.
Less malicious – an employee with this permission could bypass approval processes to use certain applications that are policy violations.
Permission: vpcaccess.connectors.update
Service: VPC Access
Context: This permission enables updating existing VPC connectors in Google Cloud. One would configure a VPC access connector to enable a service or job to send traffic to a VPC network.
So What?
A bad actor could configure the connector to allow or disallow connections from specific addresses. Consider an organization out of Europe with a region in the U.S. that is enabled, but mostly unused due to data compliance standards. The attacker could allow a connection to an address in the U.S. region and ‘hide out’ there once they realize it is unused after some basic recon. With insufficient monitoring in place, the organization may not realize or detect this activity.
Instantly Secure The Most Sensitive Permissions
Sonrai’s Cloud Permissions Firewall knows the 3,000 most sensitive cloud permissions out there — and how your identities are using them. Unused sensitive permissions are instantly protected with a global default deny policy fit to your specific access needs — all you have to do is a click a button to deploy. Grant future access needs on the fly with a permissions-on-demand workflow integrated into your ChatOps tool.
While you’re at it, quarantine zombie identities and disable unused cloud services and regions for ultimate risk reduction.
Want to Read More?
Continue following the MITRE ATT&CK path as the final blog in this series comes out; Powerful Cloud Permissions You Should Know: Part 6, Exfiltration and Impact.
