Skip to primary navigation
Skip to content
Skip to footer
Atomic Red Team
Learn More
Atomics
Newsletter
Join the Slack
Toggle search
Toggle menu
IaaS Atomic Tests by ATT&CK Tactic & Technique
defense-evasion
T1578.004 Revert Cloud Instance
CONTRIBUTE A TEST
T1578 Modify Cloud Compute Infrastructure
CONTRIBUTE A TEST
T1562 Impair Defenses
CONTRIBUTE A TEST
T1550 Use Alternate Authentication Material
CONTRIBUTE A TEST
T1556.007 Hybrid Identity
CONTRIBUTE A TEST
T1535 Unused/Unsupported Cloud Regions
CONTRIBUTE A TEST
T1078.001 Valid Accounts: Default Accounts
CONTRIBUTE A TEST
T1548 Abuse Elevation Control Mechanism
CONTRIBUTE A TEST
T1548.005 Temporary Elevated Cloud Access
CONTRIBUTE A TEST
T1578.003 Delete Cloud Instance
CONTRIBUTE A TEST
T1562.007 Disable or Modify Cloud Firewall
CONTRIBUTE A TEST
T1562.001 Impair Defenses: Disable or Modify Tools
Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
T1078 Valid Accounts
CONTRIBUTE A TEST
T1556.006 Multi-Factor Authentication
CONTRIBUTE A TEST
T1550.004 Web Session Cookie
CONTRIBUTE A TEST
T1578.005 Modify Cloud Compute Configurations
CONTRIBUTE A TEST
T1562.008 Impair Defenses: Disable Cloud Logs
Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
Atomic Test #5: AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus [linux, macos, iaas:aws]
Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
T1556.009 Conditional Access Policies
CONTRIBUTE A TEST
T1578.002 Create Cloud Instance
CONTRIBUTE A TEST
T1578.001 Create Snapshot
CONTRIBUTE A TEST
T1550.001 Application Access Token
CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1556 Modify Authentication Process
CONTRIBUTE A TEST
T1211 Exploitation for Defense Evasion
CONTRIBUTE A TEST
credential-access
T1110.001 Brute Force: Password Guessing
CONTRIBUTE A TEST
T1552.005 Unsecured Credentials: Cloud Instance Metadata API
Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
T1606.002 Forge Web Credentials: SAML token
CONTRIBUTE A TEST
T1040 Network Sniffing
CONTRIBUTE A TEST
T1555 Credentials from Password Stores
CONTRIBUTE A TEST
T1552 Unsecured Credentials
Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
T1556.007 Hybrid Identity
CONTRIBUTE A TEST
T1110.003 Brute Force: Password Spraying
Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
T1552.001 Unsecured Credentials: Credentials In Files
CONTRIBUTE A TEST
T1606.001 Web Cookies
CONTRIBUTE A TEST
T1606 Forge Web Credentials
CONTRIBUTE A TEST
T1621 Multi-Factor Authentication Request Generation
CONTRIBUTE A TEST
T1110 Brute Force
CONTRIBUTE A TEST
T1110.004 Brute Force: Credential Stuffing
CONTRIBUTE A TEST
T1556.006 Multi-Factor Authentication
CONTRIBUTE A TEST
T1556.009 Conditional Access Policies
CONTRIBUTE A TEST
T1555.006 Cloud Secrets Management Stores
CONTRIBUTE A TEST
T1556 Modify Authentication Process
CONTRIBUTE A TEST
impact
T1498.001 Direct Network Flood
CONTRIBUTE A TEST
T1491.002 External Defacement
CONTRIBUTE A TEST
T1499.003 Application Exhaustion Flood
CONTRIBUTE A TEST
T1499.004 Application or System Exploitation
CONTRIBUTE A TEST
T1498.002 Reflection Amplification
CONTRIBUTE A TEST
T1499.002 Service Exhaustion Flood
CONTRIBUTE A TEST
T1491 Defacement
CONTRIBUTE A TEST
T1486 Data Encrypted for Impact
CONTRIBUTE A TEST
T1499 Endpoint Denial of Service
CONTRIBUTE A TEST
T1496 Resource Hijacking
CONTRIBUTE A TEST
T1485 Data Destruction
Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
T1498 Network Denial of Service
CONTRIBUTE A TEST
T1490 Inhibit System Recovery
CONTRIBUTE A TEST
discovery
T1069 Permission Groups Discovery
CONTRIBUTE A TEST
T1069.003 Cloud Groups
CONTRIBUTE A TEST
T1040 Network Sniffing
CONTRIBUTE A TEST
T1082 System Information Discovery
CONTRIBUTE A TEST
T1580 Cloud Infrastructure Discovery
Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
Atomic Test #2: AWS - EC2 Security Group Enumeration [iaas:aws]
T1087 Account Discovery
CONTRIBUTE A TEST
T1049 System Network Connections Discovery
CONTRIBUTE A TEST
T1619 Cloud Storage Object Discovery
Atomic Test #1: AWS S3 Enumeration [iaas:aws]
T1654 Log Enumeration
CONTRIBUTE A TEST
T1087.004 Cloud Account
CONTRIBUTE A TEST
T1201 Password Policy Discovery
Atomic Test #12: Examine AWS Password Policy [iaas:aws]
T1614 System Location Discovery
CONTRIBUTE A TEST
T1518.001 Software Discovery: Security Software Discovery
CONTRIBUTE A TEST
T1526 Cloud Service Discovery
Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
T1046 Network Service Discovery
CONTRIBUTE A TEST
T1518 Software Discovery
CONTRIBUTE A TEST
T1538 Cloud Service Dashboard
CONTRIBUTE A TEST
persistence
T1098.003 Account Manipulation: Additional Cloud Roles
CONTRIBUTE A TEST
T1525 Implant Internal Image
CONTRIBUTE A TEST
T1556.007 Hybrid Identity
CONTRIBUTE A TEST
T1078.001 Valid Accounts: Default Accounts
CONTRIBUTE A TEST
T1098.004 SSH Authorized Keys
CONTRIBUTE A TEST
T1098.001 Account Manipulation: Additional Cloud Credentials
Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
T1136.003 Create Account: Cloud Account
Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
T1098 Account Manipulation
Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
T1078 Valid Accounts
CONTRIBUTE A TEST
T1556.006 Multi-Factor Authentication
CONTRIBUTE A TEST
T1546 Event Triggered Execution
CONTRIBUTE A TEST
T1556.009 Conditional Access Policies
CONTRIBUTE A TEST
T1136 Create Account
CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
T1556 Modify Authentication Process
CONTRIBUTE A TEST
privilege-escalation
T1098.003 Account Manipulation: Additional Cloud Roles
CONTRIBUTE A TEST
T1078.001 Valid Accounts: Default Accounts
CONTRIBUTE A TEST
T1548 Abuse Elevation Control Mechanism
CONTRIBUTE A TEST
T1098.004 SSH Authorized Keys
CONTRIBUTE A TEST
T1548.005 Temporary Elevated Cloud Access
CONTRIBUTE A TEST
T1098.001 Account Manipulation: Additional Cloud Credentials
Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
T1098 Account Manipulation
Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
T1078 Valid Accounts
CONTRIBUTE A TEST
T1546 Event Triggered Execution
CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
collection
T1119 Automated Collection
CONTRIBUTE A TEST
T1530 Data from Cloud Storage Object
Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
T1074.002 Remote Data Staging
CONTRIBUTE A TEST
T1074 Data Staged
CONTRIBUTE A TEST
T1213 Data from Information Repositories
CONTRIBUTE A TEST
initial-access
T1190 Exploit Public-Facing Application
CONTRIBUTE A TEST
T1078.001 Valid Accounts: Default Accounts
CONTRIBUTE A TEST
T1199 Trusted Relationship
CONTRIBUTE A TEST
T1078 Valid Accounts
CONTRIBUTE A TEST
T1078.004 Valid Accounts: Cloud Accounts
Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
lateral-movement
T1021.008 Direct Cloud VM Connections
CONTRIBUTE A TEST
T1550 Use Alternate Authentication Material
CONTRIBUTE A TEST
T1021 Remote Services
CONTRIBUTE A TEST
T1021.007 Cloud Services
CONTRIBUTE A TEST
T1550.004 Web Session Cookie
CONTRIBUTE A TEST
T1550.001 Application Access Token
CONTRIBUTE A TEST
execution
T1059.009 Cloud API
CONTRIBUTE A TEST
T1059 Command and Scripting Interpreter
CONTRIBUTE A TEST
T1204 User Execution
CONTRIBUTE A TEST
T1204.003 User Execution: Malicious Image
CONTRIBUTE A TEST
T1651 Cloud Administration Command
CONTRIBUTE A TEST
T1648 Serverless Execution
CONTRIBUTE A TEST
exfiltration
T1020.001 Traffic Duplication
CONTRIBUTE A TEST
T1048 Exfiltration Over Alternative Protocol
CONTRIBUTE A TEST
T1537 Transfer Data to Cloud Account
CONTRIBUTE A TEST
Enter your search term...