Detections
Analytics
Account Manipulation: Additional Cloud Credentials
Description
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP. This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Legacy Cloud Security | AWS IaaS | Read-only | HTTPS | AWS policies |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence
Technique: Account Manipulation
Sub-Technique: Additional Cloud Credentials
Platform: AWS
Products Required: Tenable Cloud Security
Tenable Release Date: 2023 Q2