[T1021.007 ] Remote Services: Cloud Services – Adversaries leverage federated or synchronized on‑premises identities to authenticate to cloud consoles and CLIs, allowing them to perform management actions and access cloud resources as legitimate users. Watch for unusual cloud logins, CLI commands, and token usage to detect misuse. #CloudSecurity #LateralMovement
Keypoints
- Adversaries use valid, federated on‑premises credentials to access cloud control planes via web consoles or CLIs.
- Common CLI commands include Connect-AzAccount, Connect-MgGraph, and gcloud auth login.
- Authentication may also occur via application access tokens instead of user passwords.
- Detection requires monitoring cloud auth logs, CLI telemetry, and federated identity audits.
- Mitigations include strong MFA, conditional access policies, and least‑privilege service accounts.
Description:
- Like a guest using a master key that the building manager trusts, attackers with synchronized domain credentials can walk into cloud management consoles and act with the same authority as a legitimate user.
- Adversaries authenticate to cloud services using federated or synchronized on‑premises accounts (or application tokens) to perform management actions, move laterally, and access cloud‑hosted data and services; this matters because it leverages legitimate trust paths to bypass perimeter defenses and inherit user privileges.
Detection:
- Monitor cloud authentication logs (Azure AD Sign‑Ins, Google Cloud Audit Logs, AWS CloudTrail) for unusual logins from new IPs, geographies, or at odd hours.
- Alert on CLI authentication events (PowerShell Connect-AzAccount, Connect-MgGraph; gcloud auth login) and correlate them with originating hosts and user sessions.
- Inspect federated SAML/OIDC token issuance and federation service logs for anomalous token requests or increased token lifetimes.
- Watch for sudden use of application access tokens or service principal authentications tied to user accounts; validate token creation, consent grants, and client_id usage.
- Use endpoint telemetry to link cloud CLI usage to compromised endpoints (process parent chains, command line args, and network connections) to reduce false positives.
- Employ conditional access and MFA bypass monitoring; flag authentications where MFA was not required but normally enforced for the account or resource.
- Investigate privilege escalation patterns after cloud login (creation of new keys, role assignment changes, IAM policy edits) as indicators of post‑authentication activity.
Tactics:
Lateral Movement
Platforms:
IaaS, Identity Provider, Office Suite, SaaS
Data Sources:
Logon Session: Logon Session Creation
Relationship Citations:
(Citation: Crowdstrike TELCO BPO Campaign December 2022),(Citation: Mandiant Remediation and Hardening Strategies for Microsoft 365),(Citation: CISA Scattered Spider Advisory November 2023),(Citation: Protecting Microsoft 365 From On-Premises Attacks)