# T1078.004 Cloud Accounts

-----------------------------------------------------------------------

## Technique Description

Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)

Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.

Once a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.

## Technique Detection

Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Persistence

  * Privilege-Escalation

  * Initial-Access

### Platforms:

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Google Workspace

### Adversary Required Permissions:

  * User

  * Administrator

### Data Sources:

  * **Logon Session:** Logon Session Creation

  * **User Account:** User Account Authentication

  * **Logon Session:** Logon Session Metadata

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used compromised Office 365 accounts in tandem with [Ruler](https://attack.mitre.org/software/S0358) in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used a compromised O365 administrator account to create a new Service Principal.(Citation: CrowdStrike StellarParticle January 2022)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1078/004)

  * [Aws Identity Federation](https://aws.amazon.com/identity/federation/), Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, 2020.

  * [Google Federating Gc](https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction), Google. (n.d.). Federating Google Cloud with Active Directory. Retrieved March 13, 2020.

  * [Microsoft Deploying Ad Federation](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs), Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------
### This technique is a duplicate.  Follow the link below to the "Primary Version".
<a href="../Initial Access/T1078.004 Cloud Accounts.ipynb" target="_blank">Primary Version</a>