security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1651/T1651.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

3.2 KiB
Raw Permalink Blame History

T1651 - Cloud Administration Command

Description from ATT&CK

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)

If an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environments virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a Trusted Relationship to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)

Source

Atomic Tests

Atomic Test #1: AWS Run Command (and Control)

This test simulates an adversary using the AWS Run Command service to execute commands on EC2 instances.

Supported Platforms: Iaas:aws

auto_generated_guid: a3cc9c95-c160-4b86-af6f-84fba87bfd30

Inputs

Name Description Type Default Value
access_key AWS Access Key string
secret_key AWS Secret Key string
session_token AWS Session Token string
profile AWS profile string
region AWS region to deploy the EC2 instance string us-east-2

Attack Commands: Run with powershell!

Import-Module "PathToAtomicsFolder/T1651/src/T1651-1/AWSSSMAttack.ps1" -Force
$access_key = "#{access_key}"
$secret_key = "#{secret_key}"
$session_token = "#{session_token}"
$aws_profile = "#{profile}"
$region = "#{region}"
Set-AWSAuthentication -AccessKey $access_key -SecretKey $secret_key -SessionToken $session_token -AWSProfile $aws_profile -AWSRegion $region
Invoke-Terraform -TerraformCommand init -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand apply -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")
Invoke-SSMAttack -AWSProfile "T1651-1" -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1"
Invoke-Terraform -TerraformCommand destroy -TerraformDirectory "PathToAtomicsFolder/T1651/src/T1651-1" -TerraformVariables @("profile=T1651-1", "region=$region")

Dependencies: Run with powershell!

Description: The AWS PowerShell module must be installed.
Check Prereq Commands
try {if (Get-InstalledModule -Name AWSPowerShell -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands
Install-Module -Name AWSPowerShell -Force
Description: Terraform must be installed.
Check Prereq Commands
terraform --version
Get Prereq Commands
Write-Host "Terraform is required. Download it from https://www.terraform.io/downloads.html"
Reference in New Issue View Git Blame Copy Permalink