Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for Temporary Elevated Cloud Access.(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Profile host | Enumerating the state of the current host | related-to | T1136.003 | Cloud Account | |
| attribute.integrity.variety.Created account | Created new user account | related-to | T1136.003 | Cloud Account |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1136.003 | Cloud Account |
Comments
The Microsoft Sentinel Hunting queries can identify potentially malicious cloud account creation: "External user added and removed in short timeframe" and "External user from a new organisation added" can identify the addition of new external Teams user accounts.
The following Microsoft Sentinel Analytics queries can identify potentially malicious cloud account creation: "User Granted Access and created resources" which identifies a newly created user account gaining access and creating resources in Azure, and "New Cloud Shell User".
References
|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1136.003 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1136.003 | Cloud Account |
Comments
Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.
References
|
| recaptcha_enterprise | ReCAPTCHA Enterprise | technique_scores | T1136.003 | Cloud Account |
Comments
ReCAPTCHA Enterprise can implement a number of mitigations to prevent the automated creation of multiple accounts such as adding checkbox challenges on pages where end users need to enter their credentials and assessing user activity for potential misuses on all pages where accounts are created.
Since this control doesn't prevent the manual creation of accounts, it has been given a rating of Partial.
References
|
| security_command_center | Security Command Center | technique_scores | T1136.003 | Cloud Account |
Comments
SCC ingests admin activity from Cloud Audit logs to detect when new service accounts are created. This security solution protects against potential adversary generated accounts used for initial access or to maintain persistence. Because of the temporal factor to detect this attack the control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1136.003 | Cloud Account |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide significant protection against attempted manipulation of cloud accounts, including the creation of new ones: "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and "root-account-mfa-enabled". All of these controls are run periodically and provide partial coverage, since adversaries may be able to create cloud credentials via other mechanisms, resulting in an overall score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-SSCO-E3 | Secure Score | Technique Scores | T1136.003 | Cloud Account |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| EID-PWLA-E3 | Passwordless Authentication | Technique Scores | T1136.003 | Cloud Account |
Comments
Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app).
When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, etc.).
License Requirements:
All Microsoft Entra ID licenses
References
|
| DEF-IR-E5 | Incident Response | Technique Scores | T1136.003 | Cloud Account |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to Cloud Account attacks due to Incident Response monitoring for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts.
License Requirements:
Microsoft Defender XDR
References
|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1136.003 | Cloud Account |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| EID-MFA-E3 | Multifactor Authentication | Technique Scores | T1136.003 | Cloud Account |
Comments
MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.)
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1136.003 | Cloud Account |
Comments
Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1136.003 | Cloud Account |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the User Administrator. Configuration can include an MFA requirement, which can provide additional protection against Cloud Account creation. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|