Common Information
| Type | Value |
|---|---|
| Value |
Cloud Accounts - T1078.004 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-06-28 | 3 | Phishing – It’s Not About Malware (Or Even Email) | ||
| Details | Website | 2023-06-22 | 0 | Certificate Cloud Security Knowledge (CCSK) | ||
| Details | Website | 2023-06-15 | 5 | INFORMATION BREACH PREVENTION STRATEGIES IN REMOTE TEAMS | ||
| Details | Website | 2023-06-08 | 0 | Google puts $1M behind its mining-malware detection promise | ||
| Details | Website | 2023-06-07 | 5 | Threat Hunting for Business Email Compromise Through User Agents | ||
| Details | Website | 2023-06-06 | 0 | Google Workspace Users Can Now Go Password-Free With Passkeys | ||
| Details | Website | 2023-06-06 | 0 | Google Workspace Gets Passkey Authentication | ||
| Details | Website | 2023-05-30 | 112 | Russia/Ukraine Update - May 2023 | ||
| Details | Website | 2023-05-24 | 0 | Understanding cloud security & why it's crucial for your business | ||
| Details | Website | 2023-05-24 | 0 | Welcoming all users! Elastic expands Knowledge Center and Support Hub | ||
| Details | Website | 2023-05-22 | 54 | Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor | ||
| Details | Website | 2023-05-17 | 0 | How MSPs can level up their managed security service | ||
| Details | Website | 2023-05-17 | 1 | Threat actor bypasses detection, protections in Microsoft Azure Serial Console | ||
| Details | Website | 2023-05-16 | 0 | Conquer Cloud Security Risk: Introducing Real-Time CSPM | ||
| Details | Website | 2023-05-16 | 0 | Microsoft can open and scan password-protected Zip archives in the cloud | ||
| Details | Website | 2023-05-16 | 17 | SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack | Mandiant | ||
| Details | Website | 2023-05-15 | 0 | Cloud Security: The Key to Unlocking the Full Potential of the Cloud | ||
| Details | Website | 2023-05-09 | 0 | Domain-Protect - OWASP Domain Protect - Prevent Subdomain Takeover - RedPacket Security | ||
| Details | Website | 2023-05-03 | 0 | Payment software giant AvidXchange suffers its second ransomware attack of 2023 | ||
| Details | Website | 2023-05-03 | 0 | Cybersecurity in the Cloud: Challenges and Solutions | ||
| Details | Website | 2023-05-03 | 0 | Finally, a reason for your developers to want an agent | ||
| Details | Website | 2023-04-24 | 0 | Cloud Security Management: CSPM vs. CWPP vs. CIEM vs. CNAPP | ||
| Details | Website | 2023-04-20 | 56 | Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity | ||
| Details | Website | 2023-04-20 | 65 | Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity | ||
| Details | Website | 2023-04-20 | 481 | ATT&CK Changes |