Cloud Groups

Cloud Groups [T1069.003]

Information

Name: Cloud Groups
ID: T1069.003
Tactics: TA0007
Technique: T1069

Introduction

Cloud Groups (T1069.003) is a sub-technique within the MITRE ATT&CK framework, categorized under Discovery (T1069). This sub-technique specifically involves adversaries enumerating cloud-based user groups, roles, permissions, and associated identities within cloud environments. Attackers perform this enumeration to gain an understanding of the access controls, privilege structures, and the overall security posture of the targeted cloud environment. This information aids attackers in planning further exploitation, privilege escalation, lateral movement, or persistence within cloud infrastructures.

Deep Dive Into Technique

Cloud Groups enumeration involves attackers leveraging legitimate cloud provider APIs, command-line interfaces (CLIs), or SDKs to discover cloud user groups, roles, and permissions. Attackers commonly utilize compromised credentials or stolen API keys to interact with cloud services and perform enumeration activities.

Technical details and execution methods include:

Using Cloud Provider APIs and CLI Tools:
- Attackers frequently use cloud provider-specific command-line tools such as AWS CLI, Azure CLI, or Google Cloud SDK.
- Commands such as aws iam list-groups, az ad group list, or gcloud iam groups list are commonly executed to enumerate groups and roles.
Leveraging Compromised Credentials:
- Attackers typically use compromised or stolen credentials with sufficient privileges to enumerate cloud groups.
- Low-privilege credentials might provide limited enumeration capabilities; attackers often seek credentials with IAM read-only or administrative privileges.
Automated Enumeration Scripts and Tools:
- Attackers may utilize open-source scripts, tools, or custom-built automation to quickly and systematically enumerate cloud groups and roles.
- Tools such as Pacu, ScoutSuite, CloudMapper, or Prowler can facilitate enumeration and reconnaissance processes.
Cloud Provider Web Consoles:
- Attackers may manually inspect cloud provider web interfaces to enumerate groups, roles, and permissions.
- This approach is less common due to higher risk of detection and logging.

When this Technique is Usually Used

Cloud Groups enumeration typically occurs in multiple stages of an attack lifecycle, including:

Initial Reconnaissance:
- Attackers enumerate cloud groups early in the attack to identify potential targets, privileged users, and roles within the environment.
Privilege Escalation:
- Attackers enumerate cloud groups to find roles or permissions that can be exploited to escalate privileges or gain administrative access.
Lateral Movement:
- Enumeration of cloud groups provides attackers with insight into potential lateral movement pathways by identifying groups with cross-account or cross-resource access.
Persistence:
- Attackers identify groups or roles that enable persistent or stealthy access to cloud environments.
Preparation for Data Exfiltration:
- Enumeration helps attackers identify groups or roles with access to sensitive data stores, databases, or storage buckets.

How this Technique is Usually Detected

Detection of Cloud Groups enumeration can be performed through various methods, tools, and indicators of compromise (IoCs):

Cloud Audit Logs and Monitoring:
- Monitoring cloud provider audit logs (e.g., AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs) for unusual enumeration commands or API calls.
- Look for repeated or frequent enumeration commands (ListGroups, ListRoles, DescribeGroup) executed from unusual source IP addresses or user accounts.
Behavioral Anomaly Detection:
- Implementing behavioral analytics to detect unusual enumeration patterns, such as sudden spikes in IAM-related API calls or enumeration commands.
- Detecting enumeration attempts from atypical geographic regions, IP addresses, or user accounts.
User and Entity Behavior Analytics (UEBA):
- Leveraging UEBA solutions to detect abnormal user activity, privilege escalation attempts, or unusual reconnaissance behaviors.
Cloud Security Posture Management (CSPM) Tools:
- CSPM tools (such as Prisma Cloud, CloudGuard, or Orca Security) can detect unusual IAM enumeration activities and alert security teams.
Indicators of Compromise (IoCs):
- Sudden increase in IAM enumeration API calls (ListGroups, ListRoles, DescribeGroup).
- Enumeration commands originating from new or unauthorized IP addresses.
- Enumeration activity occurring outside of normal business hours or from geographically unusual locations.

Why it is Important to Detect This Technique

Early detection of Cloud Groups enumeration is critical due to its role in enabling attackers to escalate privileges, conduct lateral movement, and gain persistent access. Impacts and importance of detection include:

Privilege Escalation Risk:
- Attackers use enumeration results to identify privileged roles or groups, enabling them to escalate privileges and gain administrative control over cloud resources.
Lateral Movement Facilitation:
- Enumeration provides attackers insights into cross-account or cross-resource access, enabling lateral movement within cloud environments.
Data Exfiltration Risk:
- Attackers identify groups or roles with access to sensitive data, increasing the likelihood of successful data theft or exfiltration.
Persistent Access and Long-Term Compromise:
- Enumeration helps attackers identify groups or roles suitable for persistent access, potentially allowing prolonged compromise.
Compliance and Regulatory Impact:
- Failure to detect enumeration activities can lead to compliance violations, regulatory fines, and reputational damage.

Early detection enables rapid response, containment, and remediation, significantly reducing the potential impact of cloud-based attacks.

Examples

Real-world examples of Cloud Groups enumeration include:

Capital One Breach (2019):
- Attack Scenario:
  - Attacker exploited misconfigured AWS IAM roles and permissions to enumerate cloud groups and roles.
  - Leveraged enumeration results to escalate privileges and gain access to sensitive data stored in AWS S3 buckets.
- Tools/Methods:
  - AWS CLI and custom scripts used for enumeration.
- Impact:
  - Exposure of personal data of over 100 million customers.
  - Significant financial and reputational damage.
TeamTNT Cloud Enumeration Campaign (2020-2021):
- Attack Scenario:
  - TeamTNT attackers used automated scripts to enumerate cloud IAM groups and roles across compromised AWS environments.
  - Enumeration results were used to identify privileged roles and escalate privileges.
- Tools/Methods:
  - Pacu framework, custom scripts, and AWS CLI.
- Impact:
  - Unauthorized cryptocurrency mining, lateral movement, and persistent access to cloud environments.
Unit 42 Cloud Threat Report Findings (2022):
- Attack Scenario:
  - Attackers systematically enumerated cloud IAM groups to identify misconfigured or overly permissive roles.
  - Enumeration results enabled attackers to escalate privileges and compromise sensitive cloud resources.
- Tools/Methods:
  - ScoutSuite, CloudMapper, and custom enumeration scripts.
- Impact:
  - Data breaches, unauthorized resource usage, and persistent compromise of cloud environments.

Last updated 10 days ago

Was this helpful?

Introduction

Deep Dive Into Technique

Technical details and execution methods include:

Using Cloud Provider APIs and CLI Tools:

Attackers frequently use cloud provider-specific command-line tools such as AWS CLI, Azure CLI, or Google Cloud SDK.
Commands such as aws iam list-groups, az ad group list, or gcloud iam groups list are commonly executed to enumerate groups and roles.

Leveraging Compromised Credentials:

Attackers typically use compromised or stolen credentials with sufficient privileges to enumerate cloud groups.
Low-privilege credentials might provide limited enumeration capabilities; attackers often seek credentials with IAM read-only or administrative privileges.

Automated Enumeration Scripts and Tools:

Attackers may utilize open-source scripts, tools, or custom-built automation to quickly and systematically enumerate cloud groups and roles.
Tools such as Pacu, ScoutSuite, CloudMapper, or Prowler can facilitate enumeration and reconnaissance processes.

Cloud Provider Web Consoles:

Attackers may manually inspect cloud provider web interfaces to enumerate groups, roles, and permissions.
This approach is less common due to higher risk of detection and logging.

When this Technique is Usually Used

Cloud Groups enumeration typically occurs in multiple stages of an attack lifecycle, including:

Initial Reconnaissance:

Attackers enumerate cloud groups early in the attack to identify potential targets, privileged users, and roles within the environment.

Privilege Escalation:

Attackers enumerate cloud groups to find roles or permissions that can be exploited to escalate privileges or gain administrative access.

Lateral Movement:

Enumeration of cloud groups provides attackers with insight into potential lateral movement pathways by identifying groups with cross-account or cross-resource access.

Persistence:

Attackers identify groups or roles that enable persistent or stealthy access to cloud environments.

Preparation for Data Exfiltration:

Enumeration helps attackers identify groups or roles with access to sensitive data stores, databases, or storage buckets.

How this Technique is Usually Detected

Detection of Cloud Groups enumeration can be performed through various methods, tools, and indicators of compromise (IoCs):

Cloud Audit Logs and Monitoring:

Monitoring cloud provider audit logs (e.g., AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs) for unusual enumeration commands or API calls.
Look for repeated or frequent enumeration commands (ListGroups, ListRoles, DescribeGroup) executed from unusual source IP addresses or user accounts.

Behavioral Anomaly Detection:

Implementing behavioral analytics to detect unusual enumeration patterns, such as sudden spikes in IAM-related API calls or enumeration commands.
Detecting enumeration attempts from atypical geographic regions, IP addresses, or user accounts.

User and Entity Behavior Analytics (UEBA):

Leveraging UEBA solutions to detect abnormal user activity, privilege escalation attempts, or unusual reconnaissance behaviors.

Cloud Security Posture Management (CSPM) Tools:

CSPM tools (such as Prisma Cloud, CloudGuard, or Orca Security) can detect unusual IAM enumeration activities and alert security teams.

Indicators of Compromise (IoCs):

Sudden increase in IAM enumeration API calls (ListGroups, ListRoles, DescribeGroup).
Enumeration commands originating from new or unauthorized IP addresses.
Enumeration activity occurring outside of normal business hours or from geographically unusual locations.

Why it is Important to Detect This Technique

Privilege Escalation Risk:

Attackers use enumeration results to identify privileged roles or groups, enabling them to escalate privileges and gain administrative control over cloud resources.

Lateral Movement Facilitation:

Enumeration provides attackers insights into cross-account or cross-resource access, enabling lateral movement within cloud environments.

Data Exfiltration Risk:

Attackers identify groups or roles with access to sensitive data, increasing the likelihood of successful data theft or exfiltration.

Persistent Access and Long-Term Compromise:

Enumeration helps attackers identify groups or roles suitable for persistent access, potentially allowing prolonged compromise.

Compliance and Regulatory Impact:

Failure to detect enumeration activities can lead to compliance violations, regulatory fines, and reputational damage.

Early detection enables rapid response, containment, and remediation, significantly reducing the potential impact of cloud-based attacks.

Examples

Real-world examples of Cloud Groups enumeration include:

Capital One Breach (2019):

Attack Scenario:
- Attacker exploited misconfigured AWS IAM roles and permissions to enumerate cloud groups and roles.
- Leveraged enumeration results to escalate privileges and gain access to sensitive data stored in AWS S3 buckets.
Tools/Methods:
- AWS CLI and custom scripts used for enumeration.
Impact:
- Exposure of personal data of over 100 million customers.
- Significant financial and reputational damage.

TeamTNT Cloud Enumeration Campaign (2020-2021):

Attack Scenario:
- TeamTNT attackers used automated scripts to enumerate cloud IAM groups and roles across compromised AWS environments.
- Enumeration results were used to identify privileged roles and escalate privileges.
Tools/Methods:
- Pacu framework, custom scripts, and AWS CLI.
Impact:
- Unauthorized cryptocurrency mining, lateral movement, and persistent access to cloud environments.

Unit 42 Cloud Threat Report Findings (2022):

Attack Scenario:
- Attackers systematically enumerated cloud IAM groups to identify misconfigured or overly permissive roles.
- Enumeration results enabled attackers to escalate privileges and compromise sensitive cloud resources.
Tools/Methods:
- ScoutSuite, CloudMapper, and custom enumeration scripts.
Impact:
- Data breaches, unauthorized resource usage, and persistent compromise of cloud environments.