T1078.004: Cloud Accounts
| View on MITRE ATT&CK | T1078.004 |
|---|---|
| Tactic(s) | Privilege Escalation, Persistence, Defense Evasion, Initial Access |
Data from MITRE ATT&CK®:
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud or be hybrid joined between on-premises systems and the cloud through federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Service or user accounts may be targeted by adversaries through Brute Force, Phishing, or various other means to gain access to the environment. Federated accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments.
An adversary may create long lasting Additional Cloud Credentials on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.
Cloud accounts may also be able to assume Temporary Elevated Cloud Access or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through Cloud API or other methods.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Account Use Policies
Configure features related to account use like login attempt lockouts, specific login times, etc.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Password Policies
Set and enforce secure password policies for accounts.How to detect this technique
MITRE ATT&CK Data Components
Logon Session Creation (Logon Session)
Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)User Account Authentication (User Account)
An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)Logon Session Metadata (Logon Session)
Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within itControl Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
AWS Root Credentials
Sign-in Failure Due to Conditional Access Requirements Not Met
User State Changed From Guest To Member
Users Added to Global or Device Admin Roles
Privileged Account Creation
Account Disabled or Blocked for Sign in Attempts
Bitlocker Key Retrieval
Potential MFA Bypass Using Legacy Client Authentication
User Access Blocked by Azure Conditional Access
AWS IAM S3Browser User or AccessKey Creation
Device Registration or Join Without MFA
Users Authenticating To Other Azure AD Tenants
Use of Legacy Authentication Protocols
Temporary Access Pass Added To An Account
User Added To Privilege Role
Password Reset By User Account
Guest User Invited By Non Approved Inviters
Azure AD Only Single Factor Authentication Required
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Sign-ins by Unknown Devices
Bitbucket User Login Failure
Successful Authentications From Countries You Do Not Operate Out Of
Failed Authentications From Countries You Do Not Operate Out Of
PIM Approvals And Deny Elevation
Azure Subscription Permission Elevation Via ActivityLogs
Multifactor Authentication Interrupted
Github New Secret Created
Changes To PIM Settings
Multifactor Authentication Denied
Application URI Configuration Changes
Sign-ins from Non-Compliant Devices
Okta New Admin Console Behaviours
Login to Disabled Account
Application AppID Uri Configuration Changes
AWS IAM S3Browser LoginProfile Creation
Github Self Hosted Runner Changes Detected
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.