EXPLORE
Sign In
← Back to Explore
T1136.003

Cloud Account

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) In addition to user a...

IaaSSaaSOffice SuiteIdentity Provider
30
Detections
3
Sources
2
Threat Actors

BY SOURCE

19splunk_escu8elastic3sigma

PROCEDURES (18)

Cloud3 detections

Auto-extracted: 3 detections for cloud

Azure3 detections

Auto-extracted: 3 detections for azure

Oauth3 detections

Auto-extracted: 3 detections for oauth

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Bypass2 detections

Auto-extracted: 2 detections for bypass

Credential2 detections

Auto-extracted: 2 detections for credential

Api2 detections

Auto-extracted: 2 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Aws1 detections

Auto-extracted: 1 detections for aws

Cloud1 detections

Auto-extracted: 1 detections for cloud

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Office1 detections

Auto-extracted: 1 detections for office

Azure1 detections

Auto-extracted: 1 detections for azure

THREAT ACTORS (2)

APT29LAPSUS$

DETECTIONS (30)

ASL AWS Create Access Key
splunk_escu
ASL AWS UpdateLoginProfile
splunk_escu
AWS CreateAccessKey
splunk_escu
AWS CreateLoginProfile
splunk_escu
AWS ElastiCache Security Group Created
sigmalow
AWS IAM Create User via Assumed Role on EC2 Instance
elasticmedium
AWS IAM Group Creation
elasticlow
AWS Sensitive IAM Operations Performed via CloudShell
elasticmedium
AWS UpdateLoginProfile
splunk_escu
Azure AD External Guest User Invited
splunk_escu
Azure AD Multiple Service Principals Created by SP
splunk_escu
Azure AD Multiple Service Principals Created by User
splunk_escu
Azure AD Service Principal Created
splunk_escu
Azure Automation Account Created
splunk_escu
Azure Automation Runbook Created
splunk_escu
Entra ID External Guest User Invited
elasticlow
Entra ID Service Principal Created
elasticlow
GCP Service Account Creation
elasticlow
New Federated Domain Added - Exchange
sigmamedium
New Github Organization Member Added
sigmainformational
New GitHub Owner Added
elasticmedium
New GitHub Personal Access Token (PAT) Added
elasticlow
O365 Add App Role Assignment Grant User
splunk_escu
O365 Added Service Principal
splunk_escu
O365 External Guest User Invited
splunk_escu
O365 External Identity Policy Changed
splunk_escu
O365 Multiple Service Principals Created by SP
splunk_escu
O365 Multiple Service Principals Created by User
splunk_escu
O365 New Federated Domain Added
splunk_escu
O365 SharePoint Allowed Domains Policy Changed
splunk_escu