T1651 - Cloud Administration Command
Description from ATT&CK (opens in a new tab)
Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)
If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship (opens in a new tab) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)
Atomic Tests
Atomic Test #1 - AWS Run Command (and Control)
This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.
Supported Platforms: Iaas:aws
auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
access_key | AWS Access Key | string | |
secret_key | AWS Secret Key | string | |
session_token | AWS Session Token | string | |
profile | AWS profile | string | |
region | AWS region to deploy the EC2 instance | string | us-east-2 |
Attack Commands: Run with powershell
!
Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Dependencies: Run with powershell
!
Description: The AWS PowerShell module must be installed.
Check Prereq Commands:
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
Install-Module -Name AWSPowerShell -Force
Description: Terraform must be installed.
Check Prereq Commands:
terraform --version
Get Prereq Commands:
Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"