Skip to content
Atomic Red Team
atomics
T1651

T1651 - Cloud Administration Command

Description from ATT&CK (opens in a new tab)

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship (opens in a new tab) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

Atomic Tests


Atomic Test #1 - AWS Run Command (and Control)

This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.

Supported Platforms: Iaas:aws

auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30

Inputs:

NameDescriptionTypeDefault Value
access_keyAWS Access Keystring
secret_keyAWS Secret Keystring
session_tokenAWS Session Tokenstring
profileAWS profilestring
regionAWS region to deploy the EC2 instancestringus-east-2

Attack Commands: Run with powershell!

Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")

Dependencies: Run with powershell!

Description: The AWS PowerShell module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
Install-Module -Name AWSPowerShell -Force
Description: Terraform must be installed.
Check Prereq Commands:
terraform --version
Get Prereq Commands:
Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"