EXPLORE
Sign In
← Back to Explore
T1098.003

Additional Cloud Roles

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromi...

IaaSIdentity ProviderOffice SuiteSaaS
53
Detections
3
Sources
3
Threat Actors

BY SOURCE

27elastic19splunk_escu7sigma

PROCEDURES (24)

Azure6 detections

Auto-extracted: 6 detections for azure

Service6 detections

Auto-extracted: 6 detections for service

Cloud4 detections

Auto-extracted: 4 detections for cloud

Privilege4 detections

Auto-extracted: 4 detections for privilege

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Api3 detections

Auto-extracted: 3 detections for api

Persist2 detections

Auto-extracted: 2 detections for persist

Lateral2 detections

Auto-extracted: 2 detections for lateral

Credential2 detections

Auto-extracted: 2 detections for credential

Bypass2 detections

Auto-extracted: 2 detections for bypass

Email2 detections

Auto-extracted: 2 detections for email

Persist2 detections

Auto-extracted: 2 detections for persist

Service2 detections

Auto-extracted: 2 detections for service

Bypass2 detections

Auto-extracted: 2 detections for bypass

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Api1 detections

Auto-extracted: 1 detections for api

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Office1 detections

Auto-extracted: 1 detections for office

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

Persist1 detections

Auto-extracted: 1 detections for persist

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (3)

LAPSUS$Scattered SpiderStorm-0501

DETECTIONS (53)

Administrator Privileges Assigned to an Okta Group
elasticmedium
App Assigned To Azure RBAC/Microsoft Entra Role
sigmamedium
App Granted Privileged Delegated Or App Permissions
sigmahigh
AWS IAM AdministratorAccess Policy Attached to Group
elasticmedium
AWS IAM AdministratorAccess Policy Attached to Role
elasticmedium
AWS IAM AdministratorAccess Policy Attached to User
elasticmedium
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM Roles Anywhere Profile Creation
elasticlow
AWS IAM Roles Anywhere Trust Anchor Created with External CA
elasticmedium
AWS IAM User Addition to Group
elasticlow
AWS Sensitive IAM Operations Performed via CloudShell
elasticmedium
AWS STS AssumeRoot by Rare User and Member Account
elasticmedium
Azure AD Admin Consent Bypassed by Service Principal
splunk_escu
Azure AD Application Administrator Role Assigned
splunk_escu
Azure AD FullAccessAsApp Permission Assigned
splunk_escu
Azure AD Global Administrator Role Assigned
splunk_escu
Azure AD PIM Role Assigned
splunk_escu
Azure AD PIM Role Assignment Activated
splunk_escu
Azure AD Privileged Role Assigned
splunk_escu
Azure AD Privileged Role Assigned to Service Principal
splunk_escu
Azure AD Service Principal Privilege Escalation
splunk_escu
Azure AD Tenant Wide Admin Consent Granted
splunk_escu
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure RBAC Built-In Administrator Roles Assigned
elastichigh
Entra ID Elevated Access to User Access Administrator
elastichigh
Entra ID Global Administrator Role Assigned
elastichigh
Entra ID Global Administrator Role Assigned (PIM User)
elastichigh
Entra ID Privileged Identity Management (PIM) Role Modified
elasticmedium
GCP IAM Custom Role Creation
elasticmedium
GCP Storage Bucket Permissions Modification
elasticmedium
Github Outside Collaborator Detected
sigmamedium
GitHub Owner Role Granted To User
elasticmedium
Google Workspace Admin Role Assigned to a User
elastichigh
Google Workspace Application Access Level Modified
sigmamedium
Google Workspace Custom Admin Role Created
elasticmedium
Google Workspace User Organizational Unit Changed
elasticlow
Granting Of Permissions To An Account
sigmamedium
M365 Exchange Management Group Role Assigned
elasticmedium
M365 Identity Global Administrator Role Assigned
elasticmedium
M365 SharePoint Site Administrator Added
elasticmedium
New GitHub Owner Added
elasticmedium
O365 Admin Consent Bypassed by Service Principal
splunk_escu
O365 Application Available To Other Tenants
splunk_escu
O365 FullAccessAsApp Permission Assigned
splunk_escu
O365 High Privilege Role Granted
splunk_escu
O365 Mailbox Read Access Granted to Application
splunk_escu
O365 Privileged Role Assigned
splunk_escu
O365 Privileged Role Assigned To Service Principal
splunk_escu
O365 Service Principal Privilege Escalation
splunk_escu
O365 Tenant Wide Admin Consent Granted
splunk_escu
Okta Admin Role Assigned to an User or Group
sigmamedium
Okta User Assigned Administrator Role
elasticmedium
User Added to an Administrator's Azure AD Role
sigmamedium