An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5]
[4]
This account modification may immediately followCreate Account or other malicious account activity. Adversaries may also modify existingValid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use theCreatePolicyVersion API to define a new version of an IAM policy or theAttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.[6]
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary toCreate Account or modify a victim-owned account.[7]
| ID | Name | Description |
|---|---|---|
| C0027 | C0027 | DuringC0027,Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[8] |
| G1004 | LAPSUS$ | LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.[9] |
| G1015 | Scattered Spider | Scattered Spider has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[10] |
| C0024 | SolarWinds Compromise | During theSolarWinds Compromise,APT29 granted |
| G1053 | Storm-0501 | Storm-0501 has elevated their access to Azure resources using |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication for user and privileged accounts. |
| M1026 | Privileged Account Management | Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.[13] |
| M1018 | User Account Management | Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0277 | Detection Strategy for Role Addition to Cloud Accounts | AN0771 | Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise. |
| AN0772 | Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity. | ||
| AN0773 | Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement. |