# T1526 - Cloud Service Discovery ## Description from ATT&CK > An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. > > Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API) > > For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) > > Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008). [Source](https://attack.mitre.org/techniques/T1526) ## Atomic Tests - [Atomic Test #1: Azure - Dump Subscription Data with MicroBurst](#atomic-test-1-azure---dump-subscription-data-with-microburst) - [Atomic Test #2: AWS - Enumerate common cloud services](#atomic-test-2-aws---enumerate-common-cloud-services) - [Atomic Test #3: Azure - Enumerate common cloud services](#atomic-test-3-azure---enumerate-common-cloud-services) ### Atomic Test #1: Azure - Dump Subscription Data with MicroBurst Upon successful execution, this test will enumerate all resources that are contained within a valid Azure subscription. The resources enumerated will display on screen, as well as several csv files and folders will be output to a specified directory, listing what resources were discovered by the script. See https://dev.to/cheahengsoon/enumerating-subscription-information-with-microburst-35a1 **Supported Platforms:** Iaas:azure **auto_generated_guid:** `1e40bb1d-195e-401e-a86b-c192f55e005c` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Azure AD username | string | | | password | Azure AD password | string | T1082Az| | output_directory | Directory to output results to | string | $env:temp\T1526Test1| | subscription_name | Azure subscription name to scan | string | | #### Attack Commands: Run with `powershell`! ```powershell import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password Connect-AzAccount -Credential $Credential | out-null Get-AzDomainInfo -folder #{output_directory} -subscription "#{subscription_name}" -verbose ``` #### Cleanup Commands ```powershell remove-item #{output_directory} -recurse -force -erroraction silentlycontinue ``` #### Dependencies: Run with `powershell`! ##### Description: The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads. ###### Check Prereq Commands ```powershell if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1"){exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzDomainInfo.ps1" ``` ##### Description: The Az module must be installed. ###### Check Prereq Commands ```powershell try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} ``` ###### Get Prereq Commands ```powershell Install-Module -Name Az -Force ``` ### Atomic Test #2: AWS - Enumerate common cloud services Upon successful execution, this test will enumerate common resources that are contained within a valid AWS account. **Supported Platforms:** Iaas:aws **auto_generated_guid:** `aa8b9bcc-46fa-4a59-9237-73c7b93a980c` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | access_key | AWS Access Key | string | | | secret_key | AWS Secret Key | string | | | session_token | AWS Session Token | string | | | profile | AWS profile | string | | | regions | AWS regions | string | us-east-1,us-east-2,us-west-1,us-west-2| | output_directory | Directory to output results to | string | $env:TMPDIR/aws_discovery| #### Attack Commands: Run with `powershell`! ```powershell Import-Module "PathToAtomicsFolder\T1526\src\AWSDiscovery.ps1" $access_key = "#{access_key}" $secret_key = "#{secret_key}" $session_token = "#{session_token}" $aws_profile = "#{profile}" $regions = "#{regions}" Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile Get-AWSDiscoveryData -Regions $regions -OutputDirectory "#{output_directory}" Remove-BlankFiles -OutputDirectory "#{output_directory}" ``` #### Dependencies: Run with `powershell`! ##### Description: The AWS PowerShell module must be installed. ###### Check Prereq Commands ```powershell try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} ``` ###### Get Prereq Commands ```powershell Install-Module -Name AWSPowerShell -Force ``` ### Atomic Test #3: Azure - Enumerate common cloud services Upon successful execution, this test will enumerate common resources that are contained within a valid Azure subscription. **Supported Platforms:** Iaas:azure **auto_generated_guid:** `58f57c8f-db14-4e62-a4d3-5aaf556755d7` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | client_id | Azure AD client ID | string | | | client_secret | Azure AD client secret | string | | | tenant_id | Azure AD tenant ID | string | | | cloud | Azure cloud environment | string | AzureCloud| | output_directory | Directory to output results to | string | $env:TMPDIR/azure_discovery| #### Attack Commands: Run with `powershell`! ```powershell Import-Module "PathToAtomicsFolder\T1526\src\AzureDiscovery.ps1" $client_id = "#{client_id}" $client_secret = "#{client_secret}" $tenant_id = "#{tenant_id}" $environment = "#{cloud}" Set-AzureAuthentication -ClientID $client_id -ClientSecret $client_secret -TenantID $tenant_id -Environment $environment Get-AzureDiscoveryData -OutputDirectory "#{output_directory}" -Environment $environment Remove-BlankFiles -OutputDirectory "#{output_directory}" ``` #### Dependencies: Run with `powershell`! ##### Description: The Az module must be installed. ###### Check Prereq Commands ```powershell try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} ``` ###### Get Prereq Commands ```powershell Install-Module -Name Az -Force ```