T1585.003 Cloud Accounts Mappings

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1585.003 Cloud Accounts
IA-02 Identification and Authentication (organizational Users) Protects T1585.003 Cloud Accounts
ME-CAE-E3 Conditional Access Evaluation Technique Scores T1585.003 Cloud Accounts