Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement provides protection from Cloud Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-08 | Identification and Authentication (Non-Organizational Users) | mitigates | T1087.004 | Cloud Account | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1087.004 | Cloud Account | |
| AC-02 | Account Management | mitigates | T1087.004 | Cloud Account | |
| AC-03 | Access Enforcement | mitigates | T1087.004 | Cloud Account | |
| AC-05 | Separation of Duties | mitigates | T1087.004 | Cloud Account | |
| AC-06 | Least Privilege | mitigates | T1087.004 | Cloud Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1087.004 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1087.004 | Cloud Account |
Comments
This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1087.004 | Cloud Account |
Comments
Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques (e.g., "net user /domain", "C:\\Windows\\System32\\net.exe", "C:\\Windows\\System32\\query.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1087.004 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery. This control receives a minimal score since it only covers one of the few sub-techniques.
References
|
| identity_platform | Identity Platform | technique_scores | T1087.004 | Cloud Account |
Comments
Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of cloud accounts.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1087.004 | Cloud Account |
Comments
This control can be used to limit permissions to discover cloud accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.
References
|
| resource_manager | Resource Manager | technique_scores | T1087.004 | Cloud Account |
Comments
This control may mitigate adversaries that attempt to get a listing of cloud accounts, such as use of calls to cloud APIs that perform account discovery.
References
|
| resource_manager | Resource Manager | technique_scores | T1087.004 | Cloud Account |
Comments
Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_organizations | AWS Organizations | technique_scores | T1087.004 | Cloud Account |
Comments
This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1087.004 | Cloud Account |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Cloud Account attacks due to Audit Solution allowing admins to search and routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
License Requirements:
Microsoft 365 E3 and E5
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1087.004 | Cloud Account |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to cloud account attacks due to Incident Response monitoring the activity of cloud accounts to detect abnormal or malicious behavior.
License Requirements:
Microsoft Defender XDR
References
|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1087.004 | Cloud Account |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, limiting the accounts that can be used to perform account discovery. This scores Partial for its ability to minimize the overall accounts with these role privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| DEF-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1087.004 | Cloud Account |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Cloud Account attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors logs for actions that could be taken to gather information about cloud accounts.
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| DEF-APGV-E5 | App Governance | Technique Scores | T1087.004 | Cloud Account |
Comments
App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization
App Governance Detects Cloud Account attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.
License Requirements:
Microsoft Defender for Cloud Apps
References
|
| PUR-INPR-E5 | Information Protection | Technique Scores | T1087.004 | Cloud Account |
Comments
Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly.
Information Protection Detects Cloud Account attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2
References
|