Account Discovery: Cloud Account (T1087.004)

Tactic: Discovery · Platforms: IaaS, Identity Provider, Office Suite, SaaS

The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 3 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Account Discovery (T1087).

Overview

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365. The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.

The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix. In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.

Explore