Skip to content

DET0319 Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office

Item Value
ID DET0319
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1136.003 (Cloud Account)

Analytics

Identity Provider

AN0899

Adversaries create user accounts via identity provider APIs or admin portals (e.g., Azure AD, Okta). These accounts may be assigned elevated privileges or used in chained authentication. Detection monitors Add User activity from suspicious IPs or automation sources, followed by role/permission escalation.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) azure:audit Add user
User Account Modification (DC0010) azure:audit Add member to role
User Account Authentication (DC0002) azure:signinlogs Login from newly created account
Mutable Elements
Field Description
IPAddress Filter on IPs outside known admin networks or geographies
RoleThreshold Raise alert if total admins exceeds historical baseline
ServicePrincipalFlag Differentiate between user and service principal creation

IaaS

AN0900

Adversaries use cloud API, CLI, or console to create IAM users or roles. Initial CreateUser is followed by policy/role attachment. Detection monitors temporal chains involving IAM:CreateUser, AttachUserPolicy, and credential generation, especially from automation or foreign IP ranges.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) AWS:CloudTrail CreateUser
User Account Modification (DC0010) AWS:CloudTrail AttachUserPolicy
Mutable Elements
Field Description
Region Alert when creation happens in unexpected regions
TimeWindow Chain CreateUser → AttachPolicy → AccessKey within short timeframe
UserAgent Monitor API calls from non-console or automation tools

SaaS

AN0901

Adversaries create SaaS accounts via admin dashboards or integrations (e.g., Zoom, Salesforce, Slack). Monitor lifecycle.create or account provisioning events from non-standard sources or times.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) saas:zoom New user created
Mutable Elements
Field Description
ApplicationScope Trigger only for high-privilege or sensitive applications
AdminUserList Compare actor to list of approved SaaS administrators

Office Suite

AN0902

Adversaries leverage M365 or Google Workspace APIs to create users, service accounts, or guest accounts. Follow-on behaviors include login activity, role escalation, or service principal token generation.

Log Sources
Data Component Name Channel
User Account Creation (DC0014) m365:unified Add user
Group Modification (DC0094) m365:unified Add member to group
Mutable Elements
Field Description
GroupSensitivity Only alert on additions to high-value groups (e.g., Domain Admins)
GuestFlag Tune alerts based on guest vs internal user creation