DET0531 Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS
| Item |
Value |
| ID |
DET0531 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1098.001 (Additional Cloud Credentials)
Analytics
Identity Provider
AN1469
Addition of credentials (keys, app passwords, x.509 certs) to existing cloud accounts, service principals, or OAuth apps via portal or API by non-standard identities or IP ranges.
Log Sources
Mutable Elements
| Field |
Description |
| MFABypassMechanism |
App password or legacy auth activity bypassing MFA policies. |
| SourceIPAllowlist |
Expected IPs allowed to perform admin identity operations. |
| ApplicationCredentialType |
Track types like client_secret, certificate, password, federated. |
IaaS
AN1470
Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.
Log Sources
Mutable Elements
| Field |
Description |
| CallerIdentityContext |
Track root, federated identities, and STS tokens separately. |
| NewCredentialUsageWindow |
Time between key creation and first use (default: 5 min). |
| IAMRoleBaseline |
Expected services/accounts allowed to create keys. |
SaaS
AN1471
Credential-related configuration changes in productivity apps, such as API key creation in Google Workspace, app tokens in Slack, or user-level OAuth credentials in M365.
Log Sources
Mutable Elements
| Field |
Description |
| OAuthClientRedirectURIBaseline |
Detect suspicious redirect URI mismatches in new clients. |
| TokenScopeSensitivity |
Highlight credentials granting excessive read/write org-wide. |