云管理命令

Sub-techniques (4)

ID	Name
T1651.001	混合操作链伪装执行
T1651.002	影子凭证劫持调度
T1651.003	跨域日志逃逸控制
T1651.004	加密任务编排伪装

云管理命令是攻击者通过云平台提供的管理接口（如AWS Systems Manager、Azure RunCommand）在虚拟机中远程执行命令的技术，通常利用云服务商预装的代理程序实现无端口攻击。该技术可被用于横向移动、持久化控制或数据窃取，防御措施主要包括实施最小权限原则、启用多因素认证、监控管理API调用日志以及限制虚拟机出站连接。

为规避云平台日益完善的操作审计与异常检测机制，攻击者发展出深度结合云原生特性的隐蔽命令执行技术。通过滥用云服务的合法功能模块、渗透身份联邦体系、规避日志采集边界以及利用加密工作流机制，构建出难以被传统安全体系识别的"云内生"攻击路径，实现恶意操作与正常运维行为的深度混淆。

当前云管理命令匿迹技术的演进呈现三大特征：首先，深度利用云平台的身份信任链，通过临时凭证劫持与角色委托机制构建合法的攻击溯源路径；其次，精准对抗日志审计体系，通过跨服务日志间隙穿透与加密文档动态加载实现操作痕迹消除；最后，全面融合云原生自动化工具，将恶意指令拆解为合规的原子操作并借助工作流引擎实现隐蔽重组。典型如混合操作链伪装执行技术通过分析运维行为模式构建上下文连贯的攻击链，加密任务编排伪装则利用云服务自身加密机制实现端到端攻击隐匿。这些技术共同构建了"身份合法化、痕迹分散化、载荷隐形化"的新型云攻击范式。

匿迹技术的发展迫使防御方改变传统基于日志规则匹配的检测思路，需构建云服务元操作行为图谱，实施跨账户、跨服务的关联分析，并引入加密工作流的内容可信验证机制。同时应强化云身份联邦体系的动态鉴权能力，建立基于时序异常与权限熵值变化的检测模型。

ID: T1651

Sub-techniques: T1651.001, T1651.002, T1651.003, T1651.004

ⓘ

Tactic: 攻击执行

ⓘ

Platforms: IaaS

Contributors: Adrien Bataille; Anders Vejlby; Caio Silva; Cisco; Jared Wilson; Nader Zaveri; Nichols Jasper; Tamir Yehuda

Version: 2.0

Created: 13 March 2023

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过模拟合法云管理操作的工作流特征实现隐蔽。例如将恶意命令拆解为符合API规范的原子操作，利用云工作流引擎重组执行；或使用加密文档存储攻击载荷，使其在静态审查中呈现为合规加密对象。这些手法使得恶意操作在协议格式、工作流逻辑等维度与正常运维行为高度相似。

数据遮蔽

采用云平台原生加密服务（如KMS托管密钥）对攻击载荷进行端到端加密，确保恶意代码在传输、存储阶段均以密文形态存在。同时利用加密型API请求隐藏命令参数，使得网络层检测无法获取有效信息。

时空释痕

通过跨云区域的任务调度和临时凭证的即时销毁机制，将攻击痕迹分散在不同时间窗口与地理区域。例如使用多个区域的云函数协同执行命令，并利用日志系统的同步延迟擦除操作痕迹，使得攻击特征被稀释在云环境的时空维度中。

Procedure Examples

ID	Name	Description
S0677	AADInternals	AADInternals can execute commands on Azure virtual machines using the VM agent.^[1]
G0016	APT29	APT29 has used Azure Run Command and Azure Admin-on-Behalf-of (AOBO) to execute code on virtual machines.^[2]
S1091	Pacu	Pacu can run commands on EC2 instances using AWS Systems Manager Run Command.^[3]

Mitigations

ID	Mitigation	Description
M1026	Privileged Account Management	Limit the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. In Azure, limit the number of accounts with the roles Azure Virtual Machine Contributer and above, and consider using temporary Just-in-Time (JIT) roles to avoid permanently assigning privileged access to virtual machines.^[4]

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor for suspicious command executions via cloud management services like AWS System Manager or Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the `C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows` directory on Windows virtual machines.^[4] Analytic 1 - Abnormal or unauthorized execution of commands/scripts on VMs `index=cloud_logs sourcetype=aws:ssm OR sourcetype=azure:activity\| search action IN ("RunCommand", "StartSSMCommand", "ExecuteCommand")`
DS0009	Process	Process Creation	Monitor for process creation events in virtual machines that are associated with cloud VM agents, such as the WindowsAzureGuestAgent.exe process on Azure virtual machines. ^[4] Analytic 1 - Unexpected process creation `sourcetype=process_creation\| search process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe")\| where process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe") AND process_path != "/usr/local/bin/"`
DS0012	Script	Script Execution	Monitor the execution of scripts within virtual machines, especially those initiated via cloud management services like Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the `C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows` directory on Windows virtual machines.^[4] Analytic 1 - Unauthorized script execution `sourcetype=azure:activity\| search script_name IN ("script.sh", "run.ps1", "start.cmd")\| where script_name IN ("script.sh", "run.ps1", "start.cmd") AND user NOT IN ("known_admins")`

DS0017

Command

Command Execution

Monitor for suspicious command executions via cloud management services like AWS System Manager or Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.^[4]

Analytic 1 - Abnormal or unauthorized execution of commands/scripts on VMs

index=cloud_logs sourcetype=aws:ssm OR sourcetype=azure:activity| search action IN ("RunCommand", "StartSSMCommand", "ExecuteCommand")

DS0009

Process

Process Creation

Monitor for process creation events in virtual machines that are associated with cloud VM agents, such as the WindowsAzureGuestAgent.exe process on Azure virtual machines. ^[4]

Analytic 1 - Unexpected process creation

sourcetype=process_creation| search process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe")| where process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe") AND process_path != "/usr/local/bin/"

DS0012

Script

Script Execution

Monitor the execution of scripts within virtual machines, especially those initiated via cloud management services like Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows directory on Windows virtual machines.^[4]

Analytic 1 - Unauthorized script execution

sourcetype=azure:activity| search script_name IN ("script.sh", "run.ps1", "start.cmd")| where script_name IN ("script.sh", "run.ps1", "start.cmd") AND user NOT IN ("known_admins")