EXPLORE
Sign In
← Back to Explore
T1098.001

Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Mic...

IaaSIdentity ProviderSaaS
24
Detections
4
Sources
1
Threat Actors

BY SOURCE

18elastic3sigma2splunk_escu1kql

PROCEDURES (21)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Saml2 detections

Auto-extracted: 2 detections for saml

Token2 detections

Auto-extracted: 2 detections for token

Bypass1 detections

Auto-extracted: 1 detections for bypass

Cloud1 detections

Auto-extracted: 1 detections for cloud

Credential1 detections

Auto-extracted: 1 detections for credential

Token1 detections

Auto-extracted: 1 detections for token

Privilege1 detections

Auto-extracted: 1 detections for privilege

Azure1 detections

Auto-extracted: 1 detections for azure

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Phish1 detections

Auto-extracted: 1 detections for phish

Cloud1 detections

Auto-extracted: 1 detections for cloud

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Phish1 detections

Auto-extracted: 1 detections for phish

Token1 detections

Auto-extracted: 1 detections for token

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Azure1 detections

Auto-extracted: 1 detections for azure

Aws1 detections

Auto-extracted: 1 detections for aws

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (1)

Storm-0501

DETECTIONS (24)

Added Credentials to Existing Application
sigmahigh
Application Added to Google Workspace Domain
elasticmedium
Attempt to Create Okta API Token
elasticmedium
AWS First Occurrence of STS GetFederationToken Request by User
elasticmedium
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM SAML Provider Created
elasticmedium
AWS IAM User Created Access Keys For Another User
elasticmedium
AWS RDS DB Instance or Cluster Password Modified
elasticmedium
AWS Sensitive IAM Operations Performed via CloudShell
elasticmedium
Azure AD Service Principal New Client Credentials
splunk_escu
Azure Storage Account Key Regenerated
elasticlow
Entra ID Application Credential Modified
elasticmedium
Entra ID Domain Federation Configuration Change
elastichigh
Entra ID Federated Identity Credential Issuer Modified
elastichigh
Entra ID Service Principal Credentials Created by Unusual User
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
GCP Service Account Key Creation
elasticlow
Github Outside Collaborator Detected
sigmamedium
Google Workspace Object Copied to External Drive with App Consent
elasticmedium
New access credential added to application or service principal
kql
New GitHub Personal Access Token (PAT) Added
elasticlow
O365 Service Principal New Client Credentials
splunk_escu
Okta Identity Provider Created
sigmamedium