T1078.004 — Cloud Accounts

Technique

T1078.004

Tactics

Stealth, Persistence, Privilege Escalation, Initial Access

MISP citations

0

KEV CVEs mapped

1

Community rules

40

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1078/004

MITRE description

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-53704

Detection coverage

SigmaHQ community rules

• Bitbucket User Login Failure (core)
• Github New Secret Created (core)
• Github Self Hosted Runner Changes Detected (core)
• Github SSH Certificate Configuration Changed (core)
• AWS Successful Console Login Without MFA (core)
• AWS SAML Provider Deletion Activity (core)
• AWS IAM S3Browser LoginProfile Creation (core)
• AWS IAM S3Browser Templated S3 Bucket Policy Creation (core)
• AWS IAM S3Browser User or AccessKey Creation (core)
• AWS Root Credentials (core)
• Azure Subscription Permission Elevation Via ActivityLogs (core)
• Bitlocker Key Retrieval (core)
• Users Added to Global or Device Admin Roles (core)
• Application AppID Uri Configuration Changes (core)
• Application URI Configuration Changes (core)
• Guest User Invited By Non Approved Inviters (core)
• User State Changed From Guest To Member (core)
• PIM Approvals And Deny Elevation (core)
• Changes To PIM Settings (core)
• User Added To Privilege Role (core)
• Privileged Account Creation (core)
• Temporary Access Pass Added To An Account (core)
• Password Reset By User Account (core)
• Successful Authentications From Countries You Do Not Operate Out Of (core)
• Device Registration or Join Without MFA (core)

Showing 25 of 40 community rules — the full set is tagged attack.t1078.004 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.