Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| identityplatform | IdentityPlatform | technique_scores | T1136.003 | Cloud Account |
| security_command_center | Security Command Center | technique_scores | T1136.003 | Cloud Account |
| recaptcha_enterprise | ReCAPTCHA Enterprise | technique_scores | T1136.003 | Cloud Account |