Skip to content

T1087.004 Cloud Account

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.12 The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.34

The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.56 In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.7

Item Value
ID T1087.004
Sub-techniques T1087.001, T1087.002, T1087.003, T1087.004
Tactics TA0007
Platforms Azure AD, Google Workspace, IaaS, Office 365, SaaS
Permissions required User
Version 1.2
Created 21 February 2020
Last Modified 16 March 2021

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can enumerate Azure AD users.9
G0016 APT29 APT29 has conducted enumeration of Azure AD accounts.10
S0684 ROADTools ROADTools can enumerate Azure AD users.8

Mitigations

ID Mitigation Description
M1047 Audit Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
M1018 User Account Management Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

Detection

ID Data Source Data Component
DS0017 Command Command Execution

References

  1. Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019. 

  2. Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019. 

  3. Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. 

  4. Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019. 

  5. Amazon. (n.d.). List Roles. Retrieved August 11, 2020. 

  6. Amazon. (n.d.). List Users. Retrieved August 11, 2020. 

  7. Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020. 

  8. Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022. 

  9. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. 

  10. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.