T1069.003: Cloud Groups
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts .
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google. In AWS, the commands ListRolePolicies and ListAttachedRolePolicies allow users to enumerate the policies attached to a role.
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API . Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
— Monitoring of events related to the PowerShell cmdlet Get-MsolRole (getting a list of roles and permission groups of Exchange and Office 365 accounts). — Monitoring of process-start events where command line input contains 'az ad user get-member-groups' (Azure). — Monitoring of process-start events where command line input contains 'aws iam list-role-policies', 'aws iam list-attached-role-policies', 'get-bucket-acl', or requests to the AIM which URLs contain 'ListRolePolicies' (for example, https://iam.amazonaws.com/?Action=ListRolePolicies), 'ListAttachedRolePolicies' (for example, https://iam.amazonaws.com/?Action=ListAttachedRolePolicies), 'acl' (for example, GET ?acl HTTP/1.1 Host: bucket.s3..amazonaws.com) (AWS). Monitoring of process-start events where command line input contains requests to https://cloudidentity.googleapis.com/v1/groups (Google Cloud).
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings. |
|---|
| ID | DS0036 | Data source and component | Group: Group Metadata | Description | Contextual data about a group which describes group and activity around it that may attempt to find cloud groups and permission settings. |
|---|
| ID | DS0036 | Data source and component | Group: Group Enumeration | Description | Monitor for an extracted list of available groups and/or their associated setting |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for events collected that may attempt to find cloud groups and permission settings. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may attempt to find cloud groups and permission settings. |
|---|