ID | Name |
---|---|
T1087.001 | Local Account |
T1087.002 | Domain Account |
T1087.003 | Email Account |
T1087.004 | Cloud Account |
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember
PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.[1][2] The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list
will list all users within a domain.[3][4]
The AWS command aws iam list-users
may be used to obtain a list of users in the current account while aws iam list-roles
can obtain IAM roles that have a specified path prefix.[5][6] In GCP, gcloud iam service-accounts list
and gcloud projects get-iam-policy
may be used to obtain a listing of service accounts and users in a project.[7]
ID | Name | Description |
---|---|---|
S0677 | AADInternals |
AADInternals can enumerate Azure AD users.[8] |
G0016 | APT29 | |
S0684 | ROADTools |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts. |
M1018 | User Account Management |
Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.