Account Discovery: Облачная учетная запись
Other sub-techniques of Account Discovery (4)
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
Примеры процедур |
|
| Название | Описание |
|---|---|
| ROADTools |
ROADTools can enumerate Azure AD users.(Citation: Roadtools) |
| AADInternals |
AADInternals can enumerate Azure AD users.(Citation: AADInternals Documentation) |
| APT29 |
APT29 has conducted enumeration of Azure AD accounts.(Citation: MSTIC Nobelium Oct 2021) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Ссылки
- Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
- Amazon. (n.d.). List Users. Retrieved August 11, 2020.
- Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
- Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
- Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
- Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
- Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.