T1078.004 - Valid Accounts: Cloud Accounts
Description from ATT&CK (opens in a new tab)
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Service or user accounts may be targeted by adversaries through Brute Force (opens in a new tab), Phishing (opens in a new tab), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto Remote Services (opens in a new tab). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based Software Deployment Tools (opens in a new tab) to run commands on hybrid-joined devices.
An adversary may create long lasting Additional Cloud Credentials (opens in a new tab) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.
Cloud accounts may also be able to assume Temporary Elevated Cloud Access (opens in a new tab) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through Cloud API (opens in a new tab) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to Steal Application Access Token (opens in a new tab)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)
Atomic Tests
-
Atomic Test #1 - Creating GCP Service Account and Service Account Key
-
Atomic Test #2 - Azure Persistence Automation Runbook Created or Modified
Atomic Test #1 - Creating GCP Service Account and Service Account Key
GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
Supported Platforms: Google-workspace, Iaas:gcp
auto_generated_guid: 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| project-id | ID of the project, you want to create service account as well as service account key for | string | art-project-1 |
| service-account-name | Name of the service account | string | gcp-art-service-account-1 |
| service-account-email | Email of the service account | string | gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com |
| output-key-file | Email of the service account | string | gcp-art-service-account-1.json |
Attack Commands: Run with sh!
gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}Cleanup Commands:
gcloud iam service-accounts delete #{service-account-email} --quietDependencies: Run with sh!
Description: Requires gcloud
Check Prereq Commands:
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;Get Prereq Commands:
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"Description: Check if user is logged in
Check Prereq Commands:
gcloud config get-value accountGet Prereq Commands:
gcloud auth login --no-launch-browserAtomic Test #2 - Azure Persistence Automation Runbook Created or Modified
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.
Supported Platforms: Iaas:azure
auto_generated_guid: 348f4d14-4bd3-4f6b-bd8a-61237f78b3ac
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| resource_group | Name of the resource group | string | ART-ResourceGroupName-T1078-004 |
| runbook_name | Name of the runbook name | string | ART-RunbookName-T1078-004 |
| automation_account_name | Name of the automation account name | string | ART-AutomationAccountName-T1078-004 |
Attack Commands: Run with powershell!
New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}Cleanup Commands:
Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force
Remove-AzAutomationAccount -ResourceGroupName #{resource_group} -Name #{automation_account_name} -Force
Remove-AzResourceGroup -Name #{resource_group} -Force
echo "Cleanup should be completed. Run 'terraform destroy` to ensure remaining resources are also deleted."
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform destroy -auto-approveDependencies: Run with powershell!
Description: Check if terraform is installed.
Check Prereq Commands:
terraform versionGet Prereq Commands:
echo "Please install terraform via https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli (URL accurate as of Nov. 15, 2024)."Description: Check if Azure CLI and Azure Powershell are installed.
- Login to Azure CLI with "az login", and login to Azure Powershell with "Connect-AzAccount". Sessions are not shared.
- Azure Powershell used in this test as they have better automation performance and error logging than Azure CLI.
Check Prereq Commands:
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}Get Prereq Commands:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindowsx64 -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msiDescription: Check if the user is logged into Azure.
Check Prereq Commands:
try {if (-not (Get-AzContext)) { exit 1 } else { exit 0 }} catch {exit 1}Get Prereq Commands:
echo "* Configure your Azure account using: Connect-AzAccount"Description: Create dependency resources using terraform
- If fail to meet prereq, navigate to T1078.004-2 using "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
- Open the "terraform.tfvars" file and fill in the variables with your desired values.
- Re-run -GetPrereqs
Check Prereq Commands:
try {if (Test-Path "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}Get Prereq Commands:
echo "Navigating to: $PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
cd "$PathToAtomicsFolder/T1078.004/src/T1078.004-2/"
terraform init
terraform apply -auto-approveAtomic Test #3 - GCP - Create Custom IAM Role
This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get. The idea for this Atomic came from a Rule published by the Elastic team.
Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.
This atomic will create a new IAM role. The default role permissions are: IAM Service Account Get
Supported Platforms: Iaas:gcp
auto_generated_guid: 3a159042-69e6-4398-9a69-3308a4841c85
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| project-id | ID of the GCP Project you to execute the command against. | string | atomic-test-1 |
| role-name | The name of the role to be created. | string | AtomicRedTeamRole |
| role-description | The description of the role to be created. | string | Atomic Red Team Custom IAM Role |
| roles | List of roles to be applied | string | iam.serviceAccounts.get |
Attack Commands: Run with sh!
gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}Cleanup Commands:
gcloud iam roles delete #{role-name} --project=#{project-id}Dependencies: Run with sh!
Description: Requires gcloud
Check Prereq Commands:
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;Get Prereq Commands:
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"Description: Check if user is logged in
Check Prereq Commands:
gcloud config get-value accountGet Prereq Commands:
gcloud auth login --no-launch-browser