Account Discovery: Cloud Account

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.[1][2]

Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.[3][4]

ID: T1087.004
Sub-technique of:  T1087
Tactic: Discovery
Platforms: AWS, Azure, Azure AD, GCP, Office 365, SaaS
Permissions Required: User
Data Sources: Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Version: 1.0
Created: 21 February 2020
Last Modified: 13 March 2020

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

References