EXPLORE

← Back to Explore

T1021.007

Cloud Services

Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control ...

IaaSIdentity ProviderOffice SuiteSaaS

10

Detections

3

Sources

3

Threat Actors

BY SOURCE

5elastic4splunk_escu1sigma

PROCEDURES (9)

Remote2 detections

Auto-extracted: 2 detections for remote

Token1 detections

Auto-extracted: 1 detections for token

C21 detections

Auto-extracted: 1 detections for c2

Remote1 detections

Auto-extracted: 1 detections for remote

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (3)

APT29 Scattered Spider Storm-0501

DETECTIONS (10)

AWS Console GetSigninToken Potential Abuse

AWS EC2 Instance Console Login via Assumed Role

AWS SSM Session Started to EC2 Instance

Microsoft Intune Device Health Scripts

Microsoft Intune DeviceManagementConfigurationPolicies

Microsoft Intune Manual Device Management

Microsoft Intune Mobile Apps

Unusual AWS Command for a User

Unusual Azure Activity Logs Event for a User

Unusual GCP Event for a User