Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1087.004 | Cloud Account |
AC-03 | Access Enforcement | Protects | T1087.004 | Cloud Account |
AC-05 | Separation of Duties | Protects | T1087.004 | Cloud Account |
AC-06 | Least Privilege | Protects | T1087.004 | Cloud Account |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1087.004 | Cloud Account |
IA-08 | Identification and Authentication (non-organizational Users) | Protects | T1087.004 | Cloud Account |
PUR-IP-E5 | Information Protection | Technique Scores | T1087.004 | Cloud Account |
PUR-AS-E5 | Audit Solutions | Technique Scores | T1087.004 | Cloud Account |
ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1087.004 | Cloud Account |
DEF-IR-E5 | Incident Response | Technique Scores | T1087.004 | Cloud Account |
DO365-AG-E5 | App Governance | Technique Scores | T1087.004 | Cloud Account |
DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1087.004 | Cloud Account |