Skip to content

[Feature Request] Add Python module for detecting T1098.003 - Additional Cloud Roles #17

New issue
New issue
Open
Open
[Feature Request] Add Python module for detecting T1098.003 - Additional Cloud Roles#17
Assignees
terrancedejesus
Labels
API: AdminSubtechnique: 003Tactic: PersistenceTechnique: T1098enhancementNew feature or request
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on May 12, 2023

🐍 Python Module for MITRE ATT&CK Technique Detection

Technique Name: Account Manipulation: Additional Cloud Roles

Technique ID: T1098.003

Technique Description: An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

Describe the solution you'd like

With authentication from compromised credentials, create a new group or role within Google Workspace. Then create a new user and add the user to this new group or role. As an option from the config, it should be possible to add a default admin role as well which would be a good signal for privilege escalation.

Additional context

Requirements: 
- Google Admin API
- Python packages (google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client, email, base64)
- Scopes:  https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user

Module Workflow:
Step 1: What is the group or role to create? Enter a group or role:
Step 2: What is the user to be created? Enter your user email:
Step 3: Create group or role
Step 4: Create the user account
Step 5: Assign the group or role to the user account

Module Actions:
 1. Authenticate
 2. Create group or role
 3. Create user account
 4. Add user to group or role
 5. Cleanup: remove user from group or role
 6. Cleanup: remove group or role

Checklist

Please ensure the following tasks are completed before submitting your feature request:

  • This issue is for a specific MITRE ATT&CK technique detection
  • The technique name and ID are clearly specified
  • The problem and desired solution are clearly described
  • Any necessary alternatives or additional context have been provided

Metadata

Metadata

Assignees

Labels

API: AdminSubtechnique: 003Tactic: PersistenceTechnique: T1098enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions