Common Information
Type Value
Value
Cloud Accounts - T1078.004
Category Attack-Pattern
Type Mitre-Attack-Pattern
Misp Type Cluster
Description Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods.
Details Published Attributes CTI Title
Details Website 2024-09-27 0 Top 6 Cloud Security Threats to Watch Out For
Details Website 2024-09-24 2 Microsoft Pushes Governance, Sheds Unused Apps in Security Push
Details Website 2024-09-24 3 SaaS Data Breaches on the Rise
Details Website 2024-09-23 0 Relationship broken up? Here’s how to separate your online accounts
Details Website 2024-09-23 0 Relationship broken up? Here's how to separate your online accounts | Malwarebytes
Details Website 2024-09-23 17 Mastering Cloud-Specific IOCs for Enhanced Threat Detection | Wiz Blog
Details Website 2024-09-19 0 Trending cyberthreats and techniques from the first half of 2024 | Red Canary
Details Website 2024-09-19 5 Secure your Elastic Cloud account with multifactor authentication (MFA)
Details Website 2024-09-18 12 The Growing Dangers of LLMjacking: Evolving Tactics and Evading Sanctions
Details Website 2024-09-18 0 How to Track Performance Gains with Passkeys
Details Website 2024-09-18 12 The Growing Dangers of LLMjacking: Evolving Tactics and Evading Sanctions
Details Website 2024-09-17 2 Avoiding The "No Responsibility" Cloud Security Model
Details Website 2024-09-11 1 Large-Scale Data Exfiltration: Exploiting Secrets in .env Files to Compromise Cloud Accounts
Details Website 2024-09-10 0 Building Secure IoT Networks —  From Edge to Cloud
Details Website 2024-09-10 1 Proofpoint Sets New Standard for Human-Centric Security with Powerful AI-driven Intelligence, Insights and Integrations | Proofpoint US
Details Website 2024-09-06 0 Can I recover a deleted PSS (Password Saver)?
Details Website 2024-09-05 2 SaaS Security Lessons Learned the Hard Way | Grip
Details Website 2024-09-05 3 Cryptominers in the Cloud
Details Website 2024-08-31 0 How can I recover a deleted KeePass Password Database (KDB)?
Details Website 2024-08-28 14 The Markitto35 Saga: A Deep Dive into the World of a Digital Data Thief - CloudSEK News
Details Website 2024-08-23 1 Focus on What Matters Most: Exposure Management and Your Attack Surface
Details Website 2024-08-15 62 Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
Details Website 2024-08-07 41 Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
Details Website 2024-08-06 0 Cloud Vendor Integrations Gone Wrong
Details Website 2024-07-12 0 How Field Effect MDR simplifies compliance: HIPAA