1. Home
  2. ATT&CK Techniques
  3. T1136.003 Cloud Account

T1136.003 Cloud Account Mappings

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

View in MITRE ATT&CK®

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
identityplatform IdentityPlatform technique_scores T1136.003 Cloud Account
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.
References
  1. https://cloud.google.com/identity-platform/docs/concepts
security_command_center Security Command Center technique_scores T1136.003 Cloud Account
Comments
SCC ingests admin activity from Cloud Audit logs to detect when new service accounts are created. This security solution protects against potential adversary generated accounts used for initial access or to maintain persistence. Because of the temporal factor to detect this attack the control was graded as significant.
References
  1. https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview
  2. https://github.com/GoogleCloudPlatform/security-analytics
recaptcha_enterprise ReCAPTCHA Enterprise technique_scores T1136.003 Cloud Account
Comments
ReCAPTCHA Enterprise can implement a number of mitigations to prevent the automated creation of multiple accounts such as adding checkbox challenges on pages where end users need to enter their credentials and assessing user activity for potential misuses on all pages where accounts are created. Since this control doesn't prevent the manual creation of accounts, it has been given a rating of Partial.
References
  1. https://cloud.google.com/recaptcha-enterprise