T1021.007 Cloud Services Mappings

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as <code>Connect-AZAccount</code> for Azure PowerShell, <code>Connect-MgGraph</code> for Microsoft Graph PowerShell, and <code>gcloud auth login</code> for the Google Cloud CLI.

In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
IA-05 Authenticator Management Protects T1021.007 Cloud Services
IA-02 Identification and Authentication (organizational Users) Protects T1021.007 Cloud Services
AC-20 Use of External Systems Protects T1021.007 Cloud Services
AC-03 Access Enforcement Protects T1021.007 Cloud Services
AC-05 Separation of Duties Protects T1021.007 Cloud Services
AC-06 Least Privilege Protects T1021.007 Cloud Services
AC-02 Account Management Protects T1021.007 Cloud Services
ME-PWA-E3 Passwordless Authentication Technique Scores T1021.007 Cloud Services
DEF-SecScore-E3 Secure Score Technique Scores T1021.007 Cloud Services