# T1651 - Cloud Administration Command
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1651)
<blockquote>

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - AWS Run Command (and Control)](#atomic-test-1---aws-run-command-and-control)


<br/>

## Atomic Test #1 - AWS Run Command (and Control)
This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.

**Supported Platforms:** Iaas:aws


**auto_generated_guid:** a3cc9c95-c160-4b86-af6f-84fba87bfd30





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| access_key | AWS Access Key | string | |
| secret_key | AWS Secret Key | string | |
| session_token | AWS Session Token | string | |
| profile | AWS profile | string | |
| region | AWS region to deploy the EC2 instance | string | us-east-2|


#### Attack Commands: Run with `powershell`! 


```powershell
Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
```




#### Dependencies:  Run with `powershell`!
##### Description: The AWS PowerShell module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AWSPowerShell -Force
```
##### Description: Terraform must be installed.
##### Check Prereq Commands:
```powershell
terraform --version
```
##### Get Prereq Commands:
```powershell
Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
```




<br/>