Ctrl+K

T1136.003 - Cloud Account

T1136.003 - Cloud Account#

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.

Atomic Tests#

Atomic Test #1 - AWS - Create a new IAM user#

Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time

Supported Platforms: iaas:aws

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!#

Description: Check if ~/.aws/credentials file has a default stanza is configured#
Check Prereq Commands:#
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:#
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Invoke-AtomicTest T1136.003 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with sh#

aws iam create-user --user-name atomicredteam

Invoke-AtomicTest T1136.003 -TestNumbers 1

Cleanup:#

aws iam delete-user --user-name atomicredteam

Invoke-AtomicTest T1136.003 -TestNumbers 1 -Cleanup

Atomic Test #2 - Azure AD - Create a new user#

Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time. Supported Platforms: azure-ad

Dependencies: Run with powershell!#

Description: Check if AzureAD PowerShell module is installed#
Check Prereq Commands:#
Get-InstalledModule -Name AzureAD
Get Prereq Commands:#
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
Description: Check if AzureAD PowerShell module is installed#
Check Prereq Commands:#
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:#
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"

Invoke-AtomicTest T1136.003 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with powershell#

Connect-AzureAD
$userprincipalname = "atomicredteam@yourdomain.com"
$username = "atomicredteam"      
$password = "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $password
New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username      ```

Invoke-AtomicTest T1136.003 -TestNumbers 2

Cleanup:#

Remove-AzureADUser -ObjectId "atomicredteam@yourdomain.com"```

Invoke-AtomicTest T1136.003 -TestNumbers 2 -Cleanup

Atomic Test #3 - Azure AD - Create a new user via Azure CLI#

Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time. Supported Platforms: azure-ad

Dependencies: Run with powershell!#

Description: Check if Azure CLI is installed and install manually#
Check Prereq Commands:#
az account list
Get Prereq Commands:#
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
Description: Check if Azure CLI is installed and install via PowerShell#
Check Prereq Commands:#
az account list
Get Prereq Commands:#
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
Description: Update the userprincipalname to meet your requirements#
Check Prereq Commands:#
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:#
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"

Invoke-AtomicTest T1136.003 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with powershell#

az login
$userprincipalname = "atomicredteam@yourdomain.com"
$username = "atomicredteam"      
$password = "reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg"
az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
az ad user list --filter "displayname eq 'atomicredteam'"     ```

Invoke-AtomicTest T1136.003 -TestNumbers 3

Cleanup:#

az ad user delete --id```

Invoke-AtomicTest T1136.003 -TestNumbers 3 -Cleanup

Detection#

Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

Contents