Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-08 | Identification and Authentication (Non-Organizational Users) | mitigates | T1087.004 | Cloud Account | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1087.004 | Cloud Account | |
| AC-02 | Account Management | mitigates | T1087.004 | Cloud Account | |
| AC-03 | Access Enforcement | mitigates | T1087.004 | Cloud Account | |
| AC-05 | Separation of Duties | mitigates | T1087.004 | Cloud Account | |
| AC-06 | Least Privilege | mitigates | T1087.004 | Cloud Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1087.004 | Cloud Account |
Comments
Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques (e.g., "net user /domain", "C:\\Windows\\System32\\net.exe", "C:\\Windows\\System32\\query.exe).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral
References
|
| identity_and_access_management | Identity and Access Management | technique_scores | T1087.004 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery. This control receives a minimal score since it only covers one of the few sub-techniques.
References
|
| identity_platform | Identity Platform | technique_scores | T1087.004 | Cloud Account |
Comments
Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of cloud accounts.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1087.004 | Cloud Account |
Comments
This control can be used to limit permissions to discover cloud accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.
References
|
| resource_manager | Resource Manager | technique_scores | T1087.004 | Cloud Account |
Comments
This control may mitigate adversaries that attempt to get a listing of cloud accounts, such as use of calls to cloud APIs that perform account discovery.
References
|
| resource_manager | Resource Manager | technique_scores | T1087.004 | Cloud Account |
Comments
Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_organizations | AWS Organizations | technique_scores | T1087.004 | Cloud Account |
Comments
This control may protect against cloud account discovery by segmenting accounts into separate organizational units and restricting to least privileges between groups.
References
|