1. Home
  2. Detection Strategies
  3. Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS

Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS

Technique Detected:  Additional Cloud Credentials | T1098.001

ID: DET0531
Domains: Enterprise
Analytics: AN1469, AN1470, AN1471
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1469

Addition of credentials (keys, app passwords, x.509 certs) to existing cloud accounts, service principals, or OAuth apps via portal or API by non-standard identities or IP ranges.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) azure:audit Add service principal credentials, app password added, app role assignment
Mutable Elements
Field Description
MFABypassMechanism App password or legacy auth activity bypassing MFA policies.
SourceIPAllowlist Expected IPs allowed to perform admin identity operations.
ApplicationCredentialType Track types like `client_secret`, `certificate`, `password`, `federated`.

AN1470

Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.

Log Sources
Data Component Name Channel
Active Directory Object Creation (DC0087) AWS:CloudTrail CreateAccessKey, ImportKeyPair, CreateLoginProfile, CreateKeyPair
User Account Modification (DC0010) gcp:audit iam.serviceAccounts.keys.create, os-login.sshPublicKeys.add
Mutable Elements
Field Description
CallerIdentityContext Track root, federated identities, and STS tokens separately.
NewCredentialUsageWindow Time between key creation and first use (default: 5 min).
IAMRoleBaseline Expected services/accounts allowed to create keys.

AN1471

Credential-related configuration changes in productivity apps, such as API key creation in Google Workspace, app tokens in Slack, or user-level OAuth credentials in M365.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) gcp:audit API Key Created, OAuth Client Registered
Active Directory Object Modification (DC0066) m365:unified Set-Mailbox, Set-AppPassword, Add-MailboxPermission
Mutable Elements
Field Description
OAuthClientRedirectURIBaseline Detect suspicious redirect URI mismatches in new clients.
TokenScopeSensitivity Highlight credentials granting excessive read/write org-wide.