Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Cloud Service Discovery
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Cloud Service Discovery
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)

ID: T1526
Tactic(s): Discovery
Platforms: Azure AD, Google Workspace, IaaS, Office 365, SaaS
Permissions Required: User
Data Sources: Cloud Service: Cloud Service Enumeration
Version: 1.2
Created: 30 Aug 2019
Last Modified: 16 Mar 2021

Procedure Examples
Name Description
AADInternals

AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.(Citation: AADInternals Documentation)
ROADTools

ROADTools can enumerate Azure AD applications and service principals.(Citation: Roadtools)

Detection

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

References

  1. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  2. Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.
  3. Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.
  4. Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.
  5. Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.
  6. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.