Add Resources or Services

Information

• Name: Create Snapshot

• ID: T1578.001

• Tactics: TA0005

• Technique: T1578

Introduction

The sub-technique "Add Resources or Services" (T1578.001) within the MITRE ATT&CK framework involves adversaries adding new cloud resources or services to a compromised cloud environment. Attackers leverage legitimate cloud management tools or APIs to provision unauthorized resources, creating persistent access, performing malicious activities, or escalating privileges. This sub-technique represents a common method attackers use to maintain persistence and expand their foothold within cloud infrastructure environments.

Deep Dive Into Technique

Adversaries executing this technique typically leverage legitimate cloud provider APIs, management consoles, CLI tools, or SDKs to provision unauthorized resources or services. The following outlines the technical details and mechanisms attackers commonly utilize:

• Cloud Provider APIs and SDKs:

  • Attackers use stolen or compromised credentials to authenticate with cloud provider APIs.

  • Commonly targeted providers include AWS, Azure, Google Cloud Platform (GCP), IBM Cloud, and Oracle Cloud.

  • Attackers execute API calls to provision resources such as virtual machines, containers, storage buckets, databases, or serverless functions.

• Infrastructure as Code (IaC) Tools:

  • Attackers may exploit IaC tools (Terraform, CloudFormation, Azure Resource Manager Templates) to automate resource creation at scale.

  • IaC enables attackers to rapidly deploy large-scale malicious infrastructure or persistently re-establish compromised resources.

• Cloud Management Consoles:

  • Attackers accessing cloud management consoles can directly provision resources using graphical interfaces.

  • They may also adjust configurations and policies to evade detection or audit logging.

• Mechanisms and Real-world Procedures:

  • Provisioning new virtual machines or containers to host malware, command-and-control (C2) infrastructure, or cryptocurrency mining.

  • Creating storage buckets or databases to exfiltrate and store stolen data.

  • Deploying serverless functions or cloud-native services to execute malicious scripts, maintain persistence, or facilitate lateral movement.

  • Leveraging cloud service accounts or IAM roles to escalate privileges and gain broader control over cloud environments.

When this Technique is Usually Used

Attackers utilize this sub-technique across various stages of the cyber attack lifecycle, including:

• Persistence:

  • Creating persistent cloud resources ensures continued access even if initial compromise vectors are mitigated.

  • Attackers often provision hidden or less-monitored cloud resources to maintain long-term persistence.

• Execution and Command-and-Control (C2):

  • Provisioning cloud resources to host malware payloads, C2 servers, or malicious scripts.

  • Attackers leverage cloud infrastructure to blend malicious traffic with legitimate cloud provider traffic, complicating detection.

• Privilege Escalation:

  • Attackers may provision resources with elevated privileges or permissions, enabling further lateral movement and privilege escalation across cloud environments.

• Exfiltration and Data Storage:

  • Attackers create cloud storage buckets or databases to store exfiltrated data securely and covertly.

  • Cloud resources provide attackers with scalable and reliable storage solutions for stolen data.

• Resource Hijacking and Abuse:

  • Attackers provision cloud infrastructure for resource-intensive tasks like cryptocurrency mining, DDoS attacks, or large-scale phishing operations.

  • Cloud environments offer substantial computing resources attackers can abuse at scale.

How this Technique is Usually Detected

Detection of unauthorized resource creation involves continuous monitoring, auditing, and anomaly detection within cloud environments. Effective detection methods include:

• Cloud Audit Logging and Monitoring:

  • Enable cloud provider audit logging (e.g., AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs) to record all resource creation events.

  • Regularly review logs for suspicious or unexpected resource provisioning activities.

• Security Information and Event Management (SIEM):

  • Integrate cloud audit logs into SIEM platforms for centralized analysis and correlation.

  • Configure alerts and dashboards to highlight unusual resource creation patterns or anomalies.

• Cloud Security Posture Management (CSPM) Tools:

  • Deploy CSPM solutions to continuously assess cloud infrastructure for unauthorized or misconfigured resources.

  • CSPM tools identify deviations from approved cloud configurations or policies, alerting security teams to suspicious activities.

• Behavioral Analytics and Anomaly Detection:

  • Implement behavioral analytics solutions to baseline normal cloud provisioning activities.

  • Detect anomalies such as resource provisioning outside typical business hours, unusual geographic locations, or unexpected resource types.

• Indicators of Compromise (IoCs):

  • Unexpected cloud resources (VMs, containers, storage buckets) appearing without documented approval.

  • Rapid creation and deletion of resources to evade detection.

  • Resources provisioned in uncommon geographic regions or availability zones.

  • Unusual spikes in cloud resource utilization or billing charges.

Why it is Important to Detect This Technique

Early detection of unauthorized resource creation is critical due to significant potential impacts on systems and networks:

• Persistence and Long-term Access:

  • Attackers leverage unauthorized resource creation to maintain persistent access, complicating remediation and incident response efforts.

  • Early detection prevents attackers from establishing persistent footholds within cloud environments.

• Financial Impact:

  • Unauthorized resource provisioning can rapidly incur significant cloud infrastructure costs.

  • Detecting resource abuse early prevents financial loss and resource exhaustion.

• Data Exfiltration and Privacy Violations:

  • Attackers may provision cloud storage resources to exfiltrate and store sensitive organizational data.

  • Early detection mitigates data breaches and reduces potential regulatory compliance violations.

• Reputation and Operational Damage:

  • Unauthorized cloud resources can host malicious services such as phishing pages, malware distribution, or cryptocurrency mining.

  • Early detection prevents reputational damage and operational disruptions resulting from malicious cloud infrastructure.

• Security Posture and Compliance:

  • Unauthorized resource creation indicates compromised credentials or inadequate security controls.

  • Early detection allows organizations to swiftly remediate underlying security weaknesses and maintain compliance with regulatory standards.

Examples

Real-world examples demonstrating the use of this sub-technique include:

• Cryptocurrency Mining Operations:

  • Attackers compromised AWS credentials and provisioned hundreds of EC2 instances to mine cryptocurrency.

  • Attackers used Terraform scripts to automate resource deployment, rapidly scaling malicious infrastructure.

  • Resulted in significant financial impact to victim organization due to increased cloud billing.

• Data Exfiltration via Cloud Storage:

  • Attackers gained access to Azure Active Directory accounts and provisioned unauthorized Azure Blob Storage containers.

  • Sensitive customer and intellectual property data exfiltrated to attacker-controlled Azure storage resources.

  • Incident resulted in significant data breach and regulatory compliance violations.

• Malware Hosting and Distribution:

  • Attackers compromised Google Cloud Platform credentials, deploying unauthorized Kubernetes clusters to host malware payloads.

  • Kubernetes clusters served as command-and-control infrastructure, distributing malware to victim endpoints.

  • Incident impacted multiple organizations, compromising endpoint security and operational continuity.

• Serverless Function Abuse:

  • Attackers provisioned unauthorized AWS Lambda functions using stolen IAM credentials.

  • Malicious Lambda functions executed scripts performing reconnaissance, data exfiltration, and lateral movement.

  • Attackers leveraged cloud-native services to evade traditional endpoint detection and response (EDR) solutions.

These examples illustrate the diverse scenarios, tools, and impacts associated with the "Add Resources or Services" sub-technique, underscoring the importance of proactive detection and mitigation.