Try it using Invoke-Atomic

Create Account: Cloud Account

Description from ATT&CK

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - AWS - Create a new IAM user

Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time

Supported Platforms: iaas:aws

auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad

Inputs:

Name Description Type Default Value
username Username of the IAM user to create in AWS String atomicredteam

Attack Commands: Run with sh!

1
2
aws iam create-user --user-name #{username}

Cleanup Commands:

1
2
aws iam delete-user --user-name #{username}

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS defult profile using: aws configure

source