IaaS Atomic Tests by ATT&CK Tactic & Technique

defense-evasion

• T1578.004 Revert Cloud Instance CONTRIBUTE A TEST
• T1578 Modify Cloud Compute Infrastructure CONTRIBUTE A TEST
• T1562 Impair Defenses CONTRIBUTE A TEST
• T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1535 Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
• T1578.003 Delete Cloud Instance CONTRIBUTE A TEST
• T1562.007 Disable or Modify Cloud Firewall CONTRIBUTE A TEST
• T1562.001 Impair Defenses: Disable or Modify Tools
  • Atomic Test #46: AWS - GuardDuty Suspension or Deletion [iaas:aws]
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1550.004 Web Session Cookie CONTRIBUTE A TEST
• T1578.005 Modify Cloud Compute Configurations CONTRIBUTE A TEST
• T1562.008 Impair Defenses: Disable Cloud Logs
  • Atomic Test #1: AWS - CloudTrail Changes [iaas:aws]
  • Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
  • Atomic Test #4: AWS - Disable CloudTrail Logging Through Event Selectors using Stratus [linux, macos, iaas:aws]
  • Atomic Test #6: AWS - Remove VPC Flow Logs using Stratus [linux, macos, iaas:aws]
  • Atomic Test #7: AWS - CloudWatch Log Group Deletes [iaas:aws]
  • Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
  • Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1578.002 Create Cloud Instance CONTRIBUTE A TEST
• T1578.001 Create Snapshot CONTRIBUTE A TEST
• T1550.001 Application Access Token CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts
  • Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  • Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
  • Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
• T1556 Modify Authentication Process CONTRIBUTE A TEST
• T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST

credential-access

• T1110.001 Brute Force: Password Guessing CONTRIBUTE A TEST
• T1552.005 Unsecured Credentials: Cloud Instance Metadata API
  • Atomic Test #2: Azure - Dump Azure Instance Metadata from Virtual Machines [iaas:azure]
• T1606.002 Forge Web Credentials: SAML token CONTRIBUTE A TEST
• T1040 Network Sniffing CONTRIBUTE A TEST
• T1555 Credentials from Password Stores CONTRIBUTE A TEST
• T1552 Unsecured Credentials
  • Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1110.003 Brute Force: Password Spraying
  • Atomic Test #9: AWS - Password Spray an AWS using GoAWSConsoleSpray [iaas:aws]
• T1552.001 Unsecured Credentials: Credentials In Files CONTRIBUTE A TEST
• T1606.001 Web Cookies CONTRIBUTE A TEST
• T1606 Forge Web Credentials CONTRIBUTE A TEST
• T1621 Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
• T1110 Brute Force CONTRIBUTE A TEST
• T1110.004 Brute Force: Credential Stuffing CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1555.006 Cloud Secrets Management Stores CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST

impact

• T1498.001 Direct Network Flood CONTRIBUTE A TEST
• T1491.002 External Defacement CONTRIBUTE A TEST
• T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
• T1499.004 Application or System Exploitation CONTRIBUTE A TEST
• T1498.002 Reflection Amplification CONTRIBUTE A TEST
• T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
• T1491 Defacement CONTRIBUTE A TEST
• T1486 Data Encrypted for Impact CONTRIBUTE A TEST
• T1499 Endpoint Denial of Service CONTRIBUTE A TEST
• T1496 Resource Hijacking CONTRIBUTE A TEST
• T1485 Data Destruction
  • Atomic Test #4: GCP - Delete Bucket [iaas:gcp]
• T1498 Network Denial of Service CONTRIBUTE A TEST
• T1490 Inhibit System Recovery CONTRIBUTE A TEST

discovery

• T1069 Permission Groups Discovery CONTRIBUTE A TEST
• T1069.003 Cloud Groups CONTRIBUTE A TEST
• T1040 Network Sniffing CONTRIBUTE A TEST
• T1082 System Information Discovery CONTRIBUTE A TEST
• T1580 Cloud Infrastructure Discovery
  • Atomic Test #1: AWS - EC2 Enumeration from Cloud Instance [linux, macos, iaas:aws]
  • Atomic Test #2: AWS - EC2 Security Group Enumeration [iaas:aws]
• T1087 Account Discovery CONTRIBUTE A TEST
• T1049 System Network Connections Discovery CONTRIBUTE A TEST
• T1619 Cloud Storage Object Discovery
  • Atomic Test #1: AWS S3 Enumeration [iaas:aws]
• T1654 Log Enumeration CONTRIBUTE A TEST
• T1087.004 Cloud Account CONTRIBUTE A TEST
• T1201 Password Policy Discovery
  • Atomic Test #12: Examine AWS Password Policy [iaas:aws]
• T1614 System Location Discovery CONTRIBUTE A TEST
• T1518.001 Software Discovery: Security Software Discovery CONTRIBUTE A TEST
• T1526 Cloud Service Discovery
  • Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
• T1046 Network Service Discovery CONTRIBUTE A TEST
• T1518 Software Discovery CONTRIBUTE A TEST
• T1538 Cloud Service Dashboard CONTRIBUTE A TEST

persistence

• T1098.003 Account Manipulation: Additional Cloud Roles CONTRIBUTE A TEST
• T1525 Implant Internal Image CONTRIBUTE A TEST
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1098.004 SSH Authorized Keys CONTRIBUTE A TEST
• T1098.001 Account Manipulation: Additional Cloud Credentials
  • Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
• T1136.003 Create Account: Cloud Account
  • Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
• T1098 Account Manipulation
  • Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
  • Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
  • Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
  • Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1546 Event Triggered Execution CONTRIBUTE A TEST
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1136 Create Account CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts
  • Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  • Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
  • Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]
• T1556 Modify Authentication Process CONTRIBUTE A TEST

privilege-escalation

• T1098.003 Account Manipulation: Additional Cloud Roles CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1098.004 SSH Authorized Keys CONTRIBUTE A TEST
• T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
• T1098.001 Account Manipulation: Additional Cloud Credentials
  • Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws]
• T1098 Account Manipulation
  • Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
  • Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
  • Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
  • Atomic Test #17: GCP - Delete Service Account Key [iaas:gcp]
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1546 Event Triggered Execution CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts
  • Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  • Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
  • Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]

collection

• T1119 Automated Collection CONTRIBUTE A TEST
• T1530 Data from Cloud Storage Object
  • Atomic Test #1: Azure - Enumerate Azure Blobs with MicroBurst [iaas:azure]
  • Atomic Test #2: Azure - Scan for Anonymous Access to Azure Storage (Powershell) [iaas:azure]
  • Atomic Test #3: AWS - Scan for Anonymous Access to S3 [iaas:aws]
• T1074.002 Remote Data Staging CONTRIBUTE A TEST
• T1074 Data Staged CONTRIBUTE A TEST
• T1213 Data from Information Repositories CONTRIBUTE A TEST

initial-access

• T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1199 Trusted Relationship CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts
  • Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  • Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
  • Atomic Test #3: GCP - Create Custom IAM Role [iaas:gcp]

lateral-movement

• T1021.008 Direct Cloud VM Connections CONTRIBUTE A TEST
• T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
• T1021 Remote Services CONTRIBUTE A TEST
• T1021.007 Cloud Services CONTRIBUTE A TEST
• T1550.004 Web Session Cookie CONTRIBUTE A TEST
• T1550.001 Application Access Token CONTRIBUTE A TEST

execution

• T1059.009 Cloud API CONTRIBUTE A TEST
• T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
• T1204 User Execution CONTRIBUTE A TEST
• T1204.003 User Execution: Malicious Image CONTRIBUTE A TEST
• T1651 Cloud Administration Command CONTRIBUTE A TEST
• T1648 Serverless Execution CONTRIBUTE A TEST

exfiltration

• T1020.001 Traffic Duplication CONTRIBUTE A TEST
• T1048 Exfiltration Over Alternative Protocol CONTRIBUTE A TEST
• T1537 Transfer Data to Cloud Account CONTRIBUTE A TEST