Cloud Account

Information

• Name: Cloud Account

• ID: T1087.004

• Tactics: TA0007

• Technique: T1087

Introduction

Cloud Account Discovery (T1087.004) is a sub-technique within the MITRE ATT&CK framework under the Discovery tactic. Adversaries utilize this technique to enumerate and gather information about cloud accounts and resources that an organization possesses or manages. The primary objective of this sub-technique is to identify cloud-based resources, services, and user accounts that can be leveraged for further exploitation, privilege escalation, lateral movement, or persistence within cloud environments.

Deep Dive Into Technique

Cloud Account Discovery involves adversaries performing reconnaissance and enumeration activities to identify existing cloud accounts, resources, and services. Adversaries typically execute this sub-technique through several technical methods:

• Cloud Provider APIs and CLI Tools: Attackers commonly leverage cloud provider APIs (AWS, Azure, GCP, etc.) and command-line interface (CLI) tools to enumerate accounts, roles, permissions, and resources. Examples include:

  • AWS CLI (aws iam list-users, aws sts get-caller-identity)

  • Azure CLI (az account list, az ad user list)

  • GCP CLI (gcloud auth list, gcloud projects list)

• Web Console Access: Attackers who compromise user credentials may log into cloud provider web consoles to visually inspect accounts, roles, and resources. They may browse IAM dashboards, resource groups, or billing sections to identify sensitive accounts and resources.

• Enumeration of IAM Roles and Policies: Attackers inspect identity and access management (IAM) roles, policies, and permissions to determine what accounts have elevated privileges or access to critical cloud resources.

• Third-party Tools and Scripts: Attackers frequently employ scripts or third-party enumeration tools such as Scout Suite, Pacu, or CloudSploit to automate the enumeration of cloud accounts, resources, and configurations.

• Metadata Service Queries: Attackers may query cloud instance metadata services (e.g., AWS EC2 metadata, Azure Instance Metadata Service) to discover information about cloud accounts, roles, and permissions associated with specific instances.

When this Technique is Usually Used

Cloud Account Discovery typically occurs in multiple phases of an attack lifecycle:

• Initial Reconnaissance Phase:

  • Attackers may perform enumeration before launching targeted attacks to identify potential targets, cloud services, and user accounts.

  • Publicly exposed cloud resources or leaked credentials can facilitate initial reconnaissance.

• Post-Compromise Discovery Phase:

  • After initial access to cloud environments, attackers enumerate cloud accounts and resources to understand the scope and scale of the compromised environment.

  • Attackers identify privileged accounts, sensitive resources, and potential lateral movement targets.

• Privilege Escalation and Persistence:

  • Attackers use cloud account discovery to find accounts with elevated privileges or permissions that can be leveraged to escalate privileges or maintain persistent access.

• Data Exfiltration and Impact:

  • Attackers enumerate cloud accounts to identify resources containing sensitive data or critical infrastructure, facilitating targeted data exfiltration or disruption.

How this Technique is Usually Detected

Detection of Cloud Account Discovery relies on monitoring and analyzing cloud logs, IAM activity, and API calls. Common detection methods include:

• Cloud Provider Audit Logs:

  • AWS CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs provide visibility into API calls and user activities.

  • Monitor for unusual enumeration-related API calls such as listing users, roles, groups, policies, or resources.

• Behavioral Analytics and Anomaly Detection:

  • Implement analytics to detect abnormal or excessive enumeration activity, unusual access patterns, or repeated failed attempts.

  • Tools such as AWS GuardDuty, Azure Sentinel, and GCP Security Command Center offer built-in anomaly detection capabilities.

• Cloud Access Security Brokers (CASBs):

  • CASB solutions monitor cloud environments for suspicious activities, excessive enumeration, or unauthorized access.

• Indicators of Compromise (IoCs):

  • Unusual or unexpected API calls:

    • aws iam list-users

    • aws iam list-roles

    • aws sts get-caller-identity

    • az account list

    • az ad user list

    • gcloud projects list

  • Excessive requests from unknown or suspicious IP addresses.

  • Unexpected or unauthorized access to cloud management consoles.

• Monitoring Instance Metadata Service Access:

  • Detect unauthorized or unexpected queries to instance metadata endpoints (e.g., AWS instance metadata service at 169.254.169.254).

Why it is Important to Detect This Technique

Early detection of Cloud Account Discovery is essential due to its potential impact on organizational security. Key reasons include:

• Preventing Privilege Escalation:

  • Early detection helps prevent adversaries from identifying privileged cloud accounts, reducing the risk of privilege escalation.

• Avoiding Lateral Movement:

  • Timely detection limits attackers' ability to identify resources and accounts for lateral movement within cloud environments.

• Reducing Data Exfiltration Risks:

  • Identifying enumeration activities early can prevent attackers from locating sensitive data or critical assets, reducing the risk of data exfiltration.

• Limiting Financial and Operational Impact:

  • Early detection and mitigation prevent attackers from causing financial damage (e.g., unauthorized resource usage, billing fraud) or operational disruptions.

• Compliance and Regulatory Requirements:

  • Detecting unauthorized enumeration activities helps organizations comply with regulatory standards (e.g., GDPR, HIPAA, PCI DSS), avoiding potential fines and legal consequences.

Examples

Real-world examples and scenarios involving Cloud Account Discovery include:

• Capital One Data Breach (2019):

  • Attackers exploited a misconfigured AWS environment and performed cloud account enumeration to identify IAM roles and permissions.

  • Tools and methods used included AWS CLI and metadata service queries.

  • Impact: Exposure of sensitive data from over 100 million customer accounts, resulting in significant financial and reputational damage.

• TeamTNT Cloud Attacks (2020-2021):

  • The TeamTNT group targeted cloud environments, performing enumeration of AWS accounts and resources using automated scripts.

  • Attackers leveraged AWS CLI commands (aws iam list-users, aws sts get-caller-identity) and metadata service queries.

  • Impact: Deployment of cryptocurrency mining malware, unauthorized resource usage, and financial losses.

• Crypto-mining Attacks on Kubernetes Clusters:

  • Attackers compromised Kubernetes clusters hosted on cloud providers, enumerated cloud accounts, and resources to identify additional targets for lateral movement.

  • Attackers employed automated scripts, cloud APIs, and metadata service queries.

  • Impact: Unauthorized cloud resource usage, increased billing costs, and operational disruptions.

• Pacu Framework Usage:

  • Pacu, an open-source AWS exploitation framework, provides automated enumeration modules (iam__enum_users_roles_policies_groups) to identify IAM users, roles, and policies.

  • Attackers frequently use Pacu for reconnaissance and enumeration in compromised AWS environments.

  • Impact: Identification of privileged accounts, facilitating further exploitation and data exfiltration.

These examples highlight the importance of detecting Cloud Account Discovery activities, proactively monitoring cloud environments, and implementing robust security controls to mitigate potential risks and impacts.