Try it using Invoke-Atomic

Create Account: Cloud Account

Description from ATT&CK

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for Temporary Elevated Cloud Access.(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.

Atomic Tests

Atomic Test #1 - AWS - Create a new IAM user

Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time

Supported Platforms: iaas:aws

auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad

Inputs:

Name Description Type Default Value
username Username of the IAM user to create in AWS string atomicredteam

Attack Commands: Run with sh!

1
aws iam create-user --user-name #{username}

Cleanup Commands:

1
aws iam delete-user --user-name #{username}

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

Atomic Test #2 - Azure AD - Create a new user

Creates a new user in Azure AD. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.

Supported Platforms: azure-ad

auto_generated_guid: e62d23ef-3153-4837-8625-fa4a3829134d

Inputs:

Name Description Type Default Value
username Display name of the new user to be created in Azure AD string atomicredteam
userprincipalname User principal name (UPN) for the new Azure user being created format email address string atomicredteam@yourdomain.com
password Password for the new Azure AD user being created string reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"      
$password = "#{password}"
$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = $password
New-AzureADUser -DisplayName $username -PasswordProfile $PasswordProfile -UserPrincipalName $userprincipalname -AccountEnabled $true -MailNickName $username

Cleanup Commands:

1
Remove-AzureADUser -ObjectId "#{userprincipalname}"

Dependencies: Run with powershell!

Description: Check if AzureAD PowerShell module is installed Check Prereq Commands:

1
Get-InstalledModule -Name AzureAD

Get Prereq Commands:

1
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"

Description: Check if AzureAD PowerShell module is installed Check Prereq Commands:

1
Update the input arguments so the userprincipalname value is accurate for your environment

Get Prereq Commands:

1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"

Atomic Test #3 - Azure AD - Create a new user via Azure CLI

Creates a new user in Azure AD via the Azure CLI. Upon successful creation, a new user will be created. Adversaries create new users so that their malicious activity does not interrupt the normal functions of the compromised users and can remain undetected for a long time.

Supported Platforms: azure-ad

auto_generated_guid: 228c7498-be31-48e9-83b7-9cb906504ec8

Inputs:

Name Description Type Default Value
username Display name of the new user to be created in Azure AD string atomicredteam
userprincipalname User principal name (UPN) for the new Azure user being created format email address string atomicredteam@yourdomain.com
password Password for the new Azure AD user being created string reallylongcredential12345ART-ydsfghsdgfhsdgfhgsdhfg

Attack Commands: Run with powershell!

1
2
3
4
5
6
az login
$userprincipalname = "#{userprincipalname}"
$username = "#{username}"      
$password = "#{password}"
az ad user create --display-name $username --password $password --user-principal-name $userprincipalname
az ad user list --filter "displayname eq 'atomicredteam'"

Cleanup Commands:

1
az ad user delete --id

Dependencies: Run with powershell!

Description: Check if Azure CLI is installed and install manually Check Prereq Commands:

1
az account list

Get Prereq Commands:

1
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"

Description: Check if Azure CLI is installed and install via PowerShell Check Prereq Commands:

1
az account list

Get Prereq Commands:

1
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"

Description: Update the userprincipalname to meet your requirements Check Prereq Commands:

1
Update the input arguments so the userprincipalname value is accurate for your environment

Get Prereq Commands:

1
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"

source