Account Discovery

§ Where this technique fits

§ Dossiers chaining this technique

• z/OS TN3270 → RACF userID brute → mainframe shell

  Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.

  step 2 / 6

• BACnet HVAC → disrupt building operations

  BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.

  step 2 / 5

• Reachable Modbus PLC → direct register override

  Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.

  step 2 / 5

• TCC bypass → access Photos / Camera without consent

  Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.

  step 2 / 5

• sudo NOPASSWD on a shell-spawner → root

  User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell.

  step 2 / 5

• docker group membership → host root via container escape

  User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.

  step 2 / 5

• Service account → SYSTEM via named-pipe impersonation

  Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.

  step 2 / 5

• GCP service account impersonation chain → project owner

  Compromised low-priv SA has iam.serviceAccounts.getAccessToken on an intermediate SA; hop through 2-3 impersonations until you reach a project Owner.

  step 2 / 6

• Unauth DICOM PACS → mass medical-image exfil

  PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).

  step 3 / 5

• Leaked GitHub PAT → org takeover → supply-chain push

  A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.

  step 3 / 6

• Slack token in CI log → DM history → vendor mailbox compromise

  A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.

  step 3 / 6

• Open MongoDB → dump every collection

  Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.

  step 3 / 5

• Open MQTT broker → smart-estate takeover

  Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.

  step 3 / 5

• Open ADB on the network → device shell

  An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data.

  step 3 / 5

• SSRF → IMDS → AssumeRole chain → Org admin

  A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.

  step 3 / 9

• Compromised VM → Managed Identity → Subscription Owner

  A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription.

  step 3 / 5

• Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

  Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.

  step 4 / 6

• Secret echoed to public build log → cloud takeover

  A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.

  step 4 / 6

• SSRF → IMDS → cloud creds → lateral

  An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.

  step 5 / 6

§ What commonly comes next

1. 01
   Exfiltration Over C2 Channel

   T1041 · Exfiltration
   seen 2×
2. 02
   Network Sniffing

   T1040 · Credential Access
   seen 2×
3. 03
   ADB Backup Extraction

   MOB-BACKUP-EXTRACT · Collection
   seen 1×
4. 04
   AWS iam:PassRole Chain

   C-AWS-IAM-PASSROLE · Privilege Escalation
   seen 1×
5. 05
   AWS sts:AssumeRole Chain

   C-AWS-ASSUMEROLE-CHAIN · Lateral Movement
   seen 1×
6. 06
   Azure RBAC Owner Assignment

   C-AZ-RBAC-OWNER · Privilege Escalation
   seen 1×
7. 07
   DICOM C-STORE Unauth Access

   HC-DICOM-CSTORE · Collection
   seen 1×
8. 08
   Dylib Hijack

   MAC-DYLIB-HIJACK · Privilege Escalation
   seen 1×