T1136.003SubTechniquepersistenceagent-callable

T1136.003Cloud Account

Sub-technique of T1136

Platforms: Azure AD · Office 365 · IaaS · Google Workspace · SaaS

ATT&CK version: 14.1

What it is

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection. Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).

ATT&CK tactics· 1

Persistence

References

  1. https://attack.mitre.org/techniques/T1136/003
  2. https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide
  3. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
  4. https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554
  5. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
  6. https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.