Analyze "ransomware in the cloud" post

[christophetd]

https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

[lsass-exe]

This is my first attempt at this so please be patient :)

Requires coverage:
Execution/Exfiltration: Data Factory to remotely execute commands, transfer data and maintain persistence
Persistence/Defense evasion: Abuse of Cross-Tenant Synchronization in Microsoft Entra ID [1]
Persistence/Defense evasion: Abuse of Federated Identity Providers [2]
Persistence/Defense evasion: Remove MFA within Entra ID
Execution/Persistence/Defense Evasion: Creation of new VMs to bypass security tooling [3]

Pending creation:
Execution: Abuse Azure Special Administration Console (pending issue see - Serial Console - #533 )
Execution: Google Cloud Startup Script (pending issue - #537)

Current coverage:
Execution: Azure RunCommands (coverage - https://stratus-red-team.cloud/attack-techniques/azure/azure.execution.vm-run-command/)
Execution: AWS SSM RunShellScripts (coverage - https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ssm-send-command/)

[1, 2] I am not sure the feasibility of doing any of these programmatically, however these two may create the most issues/headaches due to licensing and dependencies on an external domain.

[3] There is indirect coverage for this via other techniques (ie anything that requires a VM) however nothing specific from what I could see. An organisation would likely want to audit and alert on any VM created where a golden base image was not used (ie a base image where security tooling was not pre-configured)