EXPLORE
Sign In
← Back to Explore
T1078.004

Cloud Accounts

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through sync...

IaaSIdentity ProviderOffice SuiteSaaS
149
Detections
3
Sources
9
Threat Actors

BY SOURCE

91elastic39sigma19splunk_escu

PROCEDURES (68)

General Monitoring14 detections

Auto-extracted: 14 detections for general monitoring

Authentication Monitoring13 detections

Auto-extracted: 13 detections for authentication monitoring

Bypass9 detections

Auto-extracted: 9 detections for bypass

Api7 detections

Auto-extracted: 7 detections for api

Persist5 detections

Auto-extracted: 5 detections for persist

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Unusual4 detections

Auto-extracted: 4 detections for unusual

Privilege4 detections

Auto-extracted: 4 detections for privilege

Powershell4 detections

Auto-extracted: 4 detections for powershell

Cloud3 detections

Auto-extracted: 3 detections for cloud

Unusual3 detections

Auto-extracted: 3 detections for unusual

Spray3 detections

Auto-extracted: 3 detections for spray

Lateral3 detections

Auto-extracted: 3 detections for lateral

Azure2 detections

Auto-extracted: 2 detections for azure

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Email2 detections

Auto-extracted: 2 detections for email

Spray2 detections

Auto-extracted: 2 detections for spray

Http2 detections

Auto-extracted: 2 detections for http

Aws2 detections

Auto-extracted: 2 detections for aws

Cloud2 detections

Auto-extracted: 2 detections for cloud

C22 detections

Auto-extracted: 2 detections for c2

Brute Force2 detections

Auto-extracted: 2 detections for brute force

Token2 detections

Auto-extracted: 2 detections for token

Saml2 detections

Auto-extracted: 2 detections for saml

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Aws2 detections

Auto-extracted: 2 detections for aws

Unusual2 detections

Auto-extracted: 2 detections for unusual

Oauth1 detections

Auto-extracted: 1 detections for oauth

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Email Security1 detections

Auto-extracted: 1 detections for email security

Azure1 detections

Auto-extracted: 1 detections for azure

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Api1 detections

Auto-extracted: 1 detections for api

C21 detections

Auto-extracted: 1 detections for c2

Unusual1 detections

Auto-extracted: 1 detections for unusual

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Saml1 detections

Auto-extracted: 1 detections for saml

Privilege1 detections

Auto-extracted: 1 detections for privilege

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Anomal1 detections

Auto-extracted: 1 detections for anomal

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Azure1 detections

Auto-extracted: 1 detections for azure

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Phish1 detections

Auto-extracted: 1 detections for phish

Email1 detections

Auto-extracted: 1 detections for email

Phish1 detections

Auto-extracted: 1 detections for phish

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Anomal1 detections

Auto-extracted: 1 detections for anomal

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Phish1 detections

Auto-extracted: 1 detections for phish

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (9)

APT28APT29APT33APT5HAFNIUMKe3changLAPSUS$Scattered SpiderStorm-0501

DETECTIONS (149)

Account Disabled or Blocked for Sign in Attempts
sigmamedium
Application AppID Uri Configuration Changes
sigmahigh
Application URI Configuration Changes
sigmahigh
ASL AWS Create Policy Version to allow all resources
splunk_escu
AWS Access Token Used from Multiple Addresses
elasticmedium
AWS CloudShell Environment Created
elasticlow
AWS Create Policy Version to allow all resources
splunk_escu
AWS EC2 Instance Console Login via Assumed Role
elastichigh
AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
elasticmedium
AWS IAM API Calls via Temporary Session Tokens
elasticlow
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM CompromisedKeyQuarantine Policy Attached to User
elastichigh
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
elastichigh
AWS IAM Long-Term Access Key First Seen from Source IP
elasticmedium
AWS IAM OIDC Provider Created by Rare User
elasticmedium
AWS IAM S3Browser LoginProfile Creation
sigmahigh
AWS IAM S3Browser Templated S3 Bucket Policy Creation
sigmahigh
AWS IAM S3Browser User or AccessKey Creation
sigmahigh
AWS IAM SAML Provider Created
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS Management Console Root Login
elasticmedium
AWS Root Credentials
sigmamedium
AWS SAML Provider Deletion Activity
sigmamedium
AWS SetDefaultPolicyVersion
splunk_escu
AWS Sign-In Console Login with Federated User
elasticmedium
AWS Sign-In Root Password Recovery Requested
elastichigh
AWS STS AssumeRole with New MFA Device
elasticlow
AWS STS AssumeRoot by Rare User and Member Account
elasticmedium
AWS STS Role Assumption by User
elasticlow
AWS STS Role Chaining
elasticmedium
AWS Successful Console Login Without MFA
sigmamedium
AWS Successful Single-Factor Authentication
splunk_escu
AWS Suspicious User Agent Fingerprint
elasticmedium
Azure AD Authentication Failed During MFA Challenge
splunk_escu
Azure AD Multiple Failed MFA Requests For User
splunk_escu
Azure AD Only Single Factor Authentication Required
sigmalow
Azure AD Service Principal Authentication
splunk_escu
Azure AD Successful PowerShell Authentication
splunk_escu
Azure AD Successful Single-Factor Authentication
splunk_escu
Azure Arc Cluster Credential Access by Identity from Unusual Source
elasticmedium
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Azure Runbook Webhook Created
splunk_escu
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
elasticmedium
Azure Storage Account Keys Accessed by Privileged User
elasticmedium
Azure Subscription Permission Elevation Via ActivityLogs
sigmahigh
Bitbucket User Login Failure
sigmamedium
Bitlocker Key Retrieval
sigmamedium
Changes To PIM Settings
sigmahigh
Cloud Compute Instance Created By Previously Unseen User
splunk_escu
Cloud Instance Modified By Previously Unseen User
splunk_escu
Device Registration or Join Without MFA
sigmamedium
Entra ID Actor Token User Impersonation Abuse
elasticmedium
Entra ID Concurrent Sign-in with Suspicious Properties
elastichigh
Entra ID High Risk Sign-in
elastichigh
Entra ID High Risk User Sign-in Heuristic
elasticmedium
Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
elasticmedium
Entra ID OAuth Device Code Flow with Concurrent Sign-ins
elastichigh
Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth Device Code Grant by Unusual User
elasticmedium
Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
elastichigh
Entra ID OAuth Phishing via First-Party Microsoft Application
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID OAuth ROPC Grant Login Detected
elasticmedium
Entra ID OAuth User Impersonation to Microsoft Graph
elasticmedium
Entra ID OAuth user_impersonation Scope for Unusual User and Client
elasticmedium
Entra ID PowerShell Sign-in
elasticlow
Entra ID Protection - Risk Detection - Sign-in Risk
elastichigh
Entra ID Protection - Risk Detection - User Risk
elastichigh
Entra ID Protection Admin Confirmed Compromise
elasticcritical
Entra ID Protection Alerts for User Detected
elastichigh
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID Service Principal with Unusual Source ASN
elasticmedium
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
Entra ID User Added as Service Principal Owner
elasticlow
Entra ID User Reported Suspicious Activity
elasticmedium
Entra ID User Sign-in with Unusual Authentication Type
elasticmedium
Entra ID User Sign-in with Unusual Client
elasticmedium
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
External User Added to Google Workspace Group
elasticmedium
Failed Authentications From Countries You Do Not Operate Out Of
sigmalow
First Occurrence of Okta User Session Started via Proxy
elasticmedium
First Time Seen Google Workspace OAuth Login from Third-Party Application
elasticmedium
FortiGate FortiCloud SSO Login from Unusual Source
elasticmedium
GCP Authentication Failed During MFA Challenge
splunk_escu
GCP Multiple Failed MFA Requests For User
splunk_escu
GCP Successful Single-Factor Authentication
splunk_escu
Github Activity on a Private Repository from an Unusual IP
elasticlow
Github New Secret Created
sigmalow
Github Self Hosted Runner Changes Detected
sigmalow
Github SSH Certificate Configuration Changed
sigmamedium
Google Workspace Suspended User Account Renewed
elasticlow
Guest User Invited By Non Approved Inviters
sigmamedium
High Number of Okta User Password Reset or Unlock Attempts
elasticmedium
Login to Disabled Account
sigmamedium
M365 Identity Login from Atypical Travel Location
elasticmedium
M365 Identity Login from Impossible Travel Location
elasticmedium
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
elastichigh
M365 Identity OAuth Phishing via First-Party Microsoft Application
elasticmedium
M365 Identity Unusual SSO Authentication Errors for User
elasticmedium
M365 Identity User Account Lockouts
elasticmedium
Microsoft Graph Request User Impersonation by Unusual Client
elasticlow
Multifactor Authentication Denied
sigmamedium
Multifactor Authentication Interrupted
sigmamedium
Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
elasticmedium
O365 Security And Compliance Alert Triggered
splunk_escu
Okta Alerts Following Unusual Proxy Authentication
elastichigh
Okta Authentication Failed During MFA Challenge
splunk_escu
Okta New Admin Console Behaviours
sigmahigh
Okta Sign-In Events via Third-Party IdP
elasticmedium
Okta Successful Login After Credential Attack
elastichigh
Okta Successful Single Factor Authentication
splunk_escu
Okta ThreatInsight Threat Detected
splunk_escu
Okta User Session Impersonation
elastichigh
Okta User Sessions Started from Different Geolocations
elasticmedium
Password Reset By User Account
sigmamedium
PIM Approvals And Deny Elevation
sigmahigh
Potential MFA Bypass Using Legacy Client Authentication
sigmahigh
Potential Okta MFA Bombing via Push Notifications
elastichigh
Potentially Successful Okta MFA Bombing via Push Notifications
elastichigh
Privileged Account Creation
sigmamedium
Sign-in Failure Due to Conditional Access Requirements Not Met
sigmahigh
Sign-ins by Unknown Devices
sigmalow
Sign-ins from Non-Compliant Devices
sigmahigh
Successful Application SSO from Rare Unknown Client Device
elasticmedium
Successful Authentications From Countries You Do Not Operate Out Of
sigmamedium
Temporary Access Pass Added To An Account
sigmahigh
Unauthorized Access to an Okta Application
elasticlow
Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
elasticmedium
Unusual AWS Command for a User
elasticlow
Unusual AWS S3 Object Encryption with SSE-C
elastichigh
Unusual Azure Activity Logs Event for a User
elasticlow
Unusual City For a GCP Event
elasticlow
Unusual City For an AWS Command
elasticlow
Unusual City for an Azure Activity Logs Event
elasticlow
Unusual Country For a GCP Event
elasticlow
Unusual Country For an AWS Command
elasticlow
Unusual Country for an Azure Activity Logs Event
elasticlow
Unusual GCP Event for a User
elasticlow
Unusual Host Name for Okta Privileged Operations Detected
elasticlow
Unusual Region Name for Okta Privileged Operations Detected
elasticlow
Unusual Source IP for Okta Privileged Operations Detected
elasticlow
Use of Legacy Authentication Protocols
sigmahigh
User Access Blocked by Azure Conditional Access
sigmamedium
User Added To Privilege Role
sigmahigh
User State Changed From Guest To Member
sigmamedium
Users Added to Global or Device Admin Roles
sigmahigh
Users Authenticating To Other Azure AD Tenants
sigmamedium