Skip to content

T1069.003 Cloud Groups

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts 67.

Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.534 In AWS, the commands ListRolePolicies and ListAttachedRolePolicies allow users to enumerate the policies attached to a role.2

Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API 1. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

Item Value
ID T1069.003
Sub-techniques T1069.001, T1069.002, T1069.003
Tactics TA0007
Platforms Azure AD, Google Workspace, IaaS, Office 365, SaaS
Version 1.4
Created 21 February 2020
Last Modified 21 March 2023

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can enumerate Azure AD groups.8
S0684 ROADTools ROADTools can enumerate Azure AD groups.9

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0017 Command Command Execution
DS0036 Group Group Enumeration
DS0009 Process Process Creation

References

  1. Amazon Web Services. (n.d.). Retrieved May 28, 2021. 

  2. Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023. 

  3. Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. 

  4. Google. (n.d.). Retrieved March 16, 2021. 

  5. Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. 

  6. Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019. 

  7. Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019. 

  8. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. 

  9. Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.