Skip to content

DET0277 Detection Strategy for Role Addition to Cloud Accounts

Item Value
ID DET0277
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1098.003 (Additional Cloud Roles)

Analytics

IaaS

AN0771

Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) AWS:CloudTrail AttachUserPolicy, CreatePolicyVersion, PutRolePolicy
Mutable Elements
Field Description
RoleScope IAM Role type or privilege level assigned (e.g., Admin, Billing, Viewer)
UserContext User, service account, or external federated identity context performing the action
PolicyChangeTimeWindow How quickly multiple roles or policies are added after initial access
ExternalRoleOrigin Cross-account roles from outside trusted tenant list

Identity Provider

AN0772

Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) m365:audit Add member to role, Add app role assignment
Mutable Elements
Field Description
AdminRoleThreshold Number of accounts allowed to hold sensitive roles like Global Admin
RoleAssignmentMethod Mechanism by which role was added (PowerShell, API, UI)
GrantContext Expected user-to-role mapping defined by org policy

Office Suite

AN0773

Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) m365:unified Add member to role, Set-Mailbox
Mutable Elements
Field Description
OfficeRoleType Admin role type or application role granted
TimeWindow Time between initial login and privilege change
ActionOrigin Was the role assignment local or via federated SSO account