Cloud Administration Command (T1651)
Tactic: Execution · Platforms: IaaS
The interactive view maps 1 detection strategy, 1 mitigation, 2 threat groups, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.