Skip to content

T1098.003 Additional Cloud Roles

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.4562 With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).1 2

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in Azure AD environments, an adversary with the Application Administrator role can add Additional Cloud Credentials to their application’s service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.3 Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.8

Similarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.

Item Value
ID T1098.003
Sub-techniques T1098.001, T1098.002, T1098.003, T1098.004, T1098.005
Tactics TA0003
Platforms Azure AD, Google Workspace, IaaS, Office 365, SaaS
Version 2.2
Created 19 January 2020
Last Modified 14 April 2023

Procedure Examples

ID Name Description
G1004 LAPSUS$ LAPSUS$ has added the global admin role to accounts they have created in the targeted organization’s cloud instances.10
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 granted company administrator privileges to a newly created service principle.11

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication for user and privileged accounts.
M1026 Privileged Account Management Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.9
M1018 User Account Management Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.

Detection

ID Data Source Data Component
DS0002 User Account User Account Modification

References