1. Home
  2. Detection Strategies
  3. Detection of Abused or Compromised Cloud Accounts for Access and Persistence

Detection of Abused or Compromised Cloud Accounts for Access and Persistence

Technique Detected:  Cloud Accounts | T1078.004

ID: DET0546
Domains: Enterprise
Analytics: AN1503, AN1504, AN1505, AN1506
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1503

Detects anomalous authentication activity such as sign-ins from impossible geolocations or legacy protocols from high-privileged accounts.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) azure:signinlogs Sign-in activity
Logon Session Metadata (DC0088) saas:okta user.authentication.sso
Mutable Elements
Field Description
AnomalousLocationThreshold Defines geographic separation (e.g., impossible travel) considered suspicious.
ProtocolType Filter based on legacy or deprecated authentication mechanisms.

AN1504

Detects cloud account use for API calls that exceed normal scope, such as IAM changes or access to services never used before.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) AWS:CloudTrail ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser
Logon Session Creation (DC0067) gcp:audit admin.googleapis.com
Mutable Elements
Field Description
ServiceInteractionBaseline Custom list of expected service interactions per user or role.
RoleSwitchRateThreshold Frequency of assume-role operations that triggers an alert.

AN1505

Detects unexpected access or usage of cloud productivity tools (e.g., downloading large numbers of files, creating external shares) by internal users.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) m365:unified FileAccessed, SharingSet
User Account Authentication (DC0002) gcp:audit drive.activity
Mutable Elements
Field Description
FileDownloadThreshold Defines excessive access based on number or size of downloads.
SharingPolicyViolationThreshold Defines external sharing behaviors that violate policy.

AN1506

Detects login and usage patterns deviating from typical Microsoft 365 or Google Workspace user profiles.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) m365:signin UserLogin
User Account Authentication (DC0002) gcp:audit login.event
Mutable Elements
Field Description
BusinessHours Used to identify logins outside of expected work times.
OfficeProductivityToolBaseline Defines expected application usage per department or role.