Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment.(Citation: Microsoft Entra ID Service Principals) In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for Temporary Elevated Cloud Access.(Citation: GCP Service Accounts) While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.(Citation: AWS Instance Profiles)(Citation: AWS Lambda Execution Role)
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1136.003 | Cloud Account |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1136.003 | Cloud Account |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
References
|
| I&S-09 | Network Defense | mitigates | T1136.003 | Cloud Account |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing access controls and firewalls and using cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Restricting access to domain controllers and systems used for account creation and management through access controls, firewalls, and separate VPC instances mitigates the ability of adversaries to create unauthorized accounts.
References
|
| IAM-03 | Identity Inventory | mitigates | T1136.003 | Cloud Account |
Comments
This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. A dynamic inventory of permitted cloud identities may aid in flagging the creation of any unauthorized identities.
References
|
| IAM-05 | Least Privilege | mitigates | T1136.003 | Cloud Account |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, limit the ability for user accounts to create additional accounts.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1136.003 | Cloud Account |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, adversaries may create a cloud account to maintain access to victim systems. In terms of mitigation, use multi-factor authentication for new user and privileged accounts. For instance, require multi-factor authentication to register devices in Entra ID. Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts. When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.
References
|