T1136.003 - Create Account: Cloud Account

Description from ATT&CK

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005).(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).

Atomic Tests


Atomic Test #1 - AWS - Create a new IAM user

Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time

Supported Platforms: Iaas:aws

auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username of the IAM user to create in AWS | string | atomicredteam|

Attack Commands: Run with
1
sh
!

1
aws iam create-user --user-name #{username}

Cleanup Commands:

1
aws iam delete-user --user-name #{username}

Dependencies: Run with
1
sh
!

Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure



Atomic Test #2 - Azure AD - Create a new user

Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.

Supported Platforms: Azure-ad

auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Display name of the new user to be created in Azure AD | string | atomicredteam| | userprincipalname | User principal name (UPN) for the new Azure user being created format email address | string | atomicredteam@yourdomain.com| | password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|

Attack Commands: Run with
1
powershell
!

1
2
3
4
5
6
7
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"      
$password = "#{password}"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $password
New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username

Cleanup Commands:

1
Remove-AzureADUser -ObjectId "#{userprincipalname}"

Dependencies: Run with
1
powershell
!

Description: Check if AzureAD PowerShell module is installed
Check Prereq Commands:
1
Get-InstalledModule -Name AzureAD
Get Prereq Commands:
1
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
Description: Check if AzureAD PowerShell module is installed
Check Prereq Commands:
1
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"



Atomic Test #3 - Azure AD - Create a new user via Azure CLI

Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.

Supported Platforms: Azure-ad

auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Display name of the new user to be created in Azure AD | string | atomicredteam| | userprincipalname | User principal name (UPN) for the new Azure user being created format email address | string | atomicredteam@yourdomain.com| | password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg|

Attack Commands: Run with
1
powershell
!

1
2
3
4
5
6
az login
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"      
$password = "#{password}"
az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
az ad user list --filter "displayname eq 'atomicredteam'"

Cleanup Commands:

1
az ad user delete --id

Dependencies: Run with
1
powershell
!

Description: Check if Azure CLI is installed and install manually
Check Prereq Commands:
1
az account list
Get Prereq Commands:
1
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
Description: Check if Azure CLI is installed and install via PowerShell
Check Prereq Commands:
1
az account list
Get Prereq Commands:
1
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
Description: Update the userprincipalname to meet your requirements
Check Prereq Commands:
1
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"