lsass-exe
commented
1 month ago This is my first attempt at this so please be patient :)
Requires coverage: Execution/Exfiltration: Data Factory to remotely execute commands, transfer data and maintain persistence Persistence/Defense evasion: Abuse of Cross-Tenant Synchronization in Microsoft Entra ID [1] Persistence/Defense evasion: Abuse of Federated Identity Providers [2] Persistence/Defense evasion: Remove MFA within Entra ID Execution/Persistence/Defense Evasion: Creation of new VMs to bypass security tooling [3]
Pending creation: Execution: Abuse Azure Special Administration Console (pending issue see - Serial Console - #533 ) Execution: Google Cloud Startup Script (pending issue - #537)
Current coverage: Execution: Azure RunCommands (coverage - https://stratus-red-team.cloud/attack-techniques/azure/azure.execution.vm-run-command/) Execution: AWS SSM RunShellScripts (coverage - https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command/)
[1, 2] I am not sure the feasibility of doing any of these programmatically, however these two may create the most issues/headaches due to licensing and dependencies on an external domain.
[3] There is indirect coverage for this via other techniques (ie anything that requires a VM) however nothing specific from what I could see. An organisation would likely want to audit and alert on any VM created where a golden base image was not used (ie a base image where security tooling was not pre-configured)
https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries