Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1136.003 | Cloud Account | |
| AC-20 | Use of External Systems | Protects | T1136.003 | Cloud Account | |
| AC-03 | Access Enforcement | Protects | T1136.003 | Cloud Account | |
| AC-04 | Information Flow Enforcement | Protects | T1136.003 | Cloud Account | |
| AC-05 | Separation of Duties | Protects | T1136.003 | Cloud Account | |
| AC-06 | Least Privilege | Protects | T1136.003 | Cloud Account | |
| CM-05 | Access Restrictions for Change | Protects | T1136.003 | Cloud Account | |
| CM-06 | Configuration Settings | Protects | T1136.003 | Cloud Account | |
| CM-07 | Least Functionality | Protects | T1136.003 | Cloud Account | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1136.003 | Cloud Account | |
| IA-05 | Authenticator Management | Protects | T1136.003 | Cloud Account | |
| SC-07 | Boundary Protection | Protects | T1136.003 | Cloud Account | |
| SI-04 | System Monitoring | Protects | T1136.003 | Cloud Account | |
| SI-07 | Software, Firmware, and Information Integrity | Protects | T1136.003 | Cloud Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1136.003 | Cloud Account |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-PWA-E3 | Passwordless Authentication | Technique Scores | T1136.003 | Cloud Account |
Comments
Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app).
When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, etc.).
License Requirements:
All Microsoft Entra ID licenses
References
|
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1136.003 | Cloud Account |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the User Administrator. Configuration can include an MFA requirement, which can provide additional protection against Cloud Account creation. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|
| ME-MFA-E3 | Multi-factor Authentication | Technique Scores | T1136.003 | Cloud Account |
Comments
Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as creating cloud accounts.
References
|
| ME-MFA-E3 | Multi-factor Authentication | Technique Scores | T1136.003 | Cloud Account |
Comments
MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.)
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1136.003 | Cloud Account |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1136.003 | Cloud Account |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Cloud Account attacks due to Incident Response monitoring for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts.
License Requirements:
Microsoft Defender XDR
References
|