Description
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
Platforms
Mitigations (2)
AuditM1047
Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
User Account ManagementM1018
Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has conducted enumeration of users, roles, and resources within victim Azure tenants using the too... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021) |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0684 | ROADTools | Tool | [ROADTools](https://attack.mitre.org/software/S0684) can enumerate Azure AD users.(Citation: Roadtools) |
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can enumerate Azure AD users.(Citation: AADInternals Documentation) |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can enumerate IAM users, roles, and groups. (Citation: GitHub Pacu) |
References
- Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
- Amazon. (n.d.). List Users. Retrieved August 11, 2020.
- Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
- Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
- Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
- Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
- Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
Frequently Asked Questions
What is T1087.004 (Cloud Account)?
T1087.004 is a MITRE ATT&CK technique named 'Cloud Account'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of reso...
How can T1087.004 be detected?
Detection of T1087.004 (Cloud Account) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1087.004?
There are 2 documented mitigations for T1087.004. Key mitigations include: Audit, User Account Management.
Which threat groups use T1087.004?
Known threat groups using T1087.004 include: Storm-0501, APT29.