T1136.003 Cloud Account Mappings

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
identityplatform IdentityPlatform technique_scores T1136.003 Cloud Account
security_command_center Security Command Center technique_scores T1136.003 Cloud Account
recaptcha_enterprise ReCAPTCHA Enterprise technique_scores T1136.003 Cloud Account