Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Add Python module for detecting T1098.003 - Additional Cloud Roles #17

Open
4 tasks done
terrancedejesus opened this issue May 12, 2023 · 0 comments
Open
4 tasks done

[Feature Request] Add Python module for detecting T1098.003 - Additional Cloud Roles #17

terrancedejesus opened this issue May 12, 2023 · 0 comments
Assignees
@terrancedejesus
Labels
API: Admin enhancement New feature or request Subtechnique: 003 Tactic: Persistence Technique: T1098

Comments

@terrancedejesus
Copy link
Contributor

🐍 Python Module for MITRE ATT&CK Technique Detection

Technique Name: Account Manipulation: Additional Cloud Roles

Technique ID: T1098.003

Technique Description: An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

Describe the solution you'd like

With authentication from compromised credentials, create a new group or role within Google Workspace. Then create a new user and add the user to this new group or role. As an option from the config, it should be possible to add a default admin role as well which would be a good signal for privilege escalation.

Additional context

Requirements: 
- Google Admin API
- Python packages (google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client, email, base64)
- Scopes:  https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user

Module Workflow:
Step 1: What is the group or role to create? Enter a group or role:
Step 2: What is the user to be created? Enter your user email:
Step 3: Create group or role
Step 4: Create the user account
Step 5: Assign the group or role to the user account

Module Actions:
 1. Authenticate
 2. Create group or role
 3. Create user account
 4. Add user to group or role
 5. Cleanup: remove user from group or role
 6. Cleanup: remove group or role

Checklist

Please ensure the following tasks are completed before submitting your feature request:

  • This issue is for a specific MITRE ATT&CK technique detection
  • The technique name and ID are clearly specified
  • The problem and desired solution are clearly described
  • Any necessary alternatives or additional context have been provided
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrancedejesus terrancedejesus

Labels
API: Admin enhancement New feature or request Subtechnique: 003 Tactic: Persistence Technique: T1098
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@terrancedejesus