Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 |
APT29 has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally into a cloud environment, including through the use of Azure AD PowerShell.[1] |
| C0027 | C0027 |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.[2] |
| G1015 | Scattered Spider |
Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.[3] |
| G1053 | Storm-0501 |
Storm-0501 has used compromised Entra Connect Sync Server to move laterally within the victim environment.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication |
Use multi-factor authentication on cloud services whenever possible. |
| M1026 | Privileged Account Management |
Limit the number of high-privileged domain and cloud accounts, and ensure that these are not used for day-to-day operations. Ensure that on-premises accounts do not have privileged cloud permissions and that isolated, cloud-only accounts are used for managing cloud environments.[5] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0008 | Behavioral Detection of Remote Cloud Logins via Valid Accounts | AN0017 |
Cloud login from atypical geolocation or user-agent string, followed by resource enumeration or infrastructure manipulation using cloud CLI/API |
| AN0018 |
Federated login using SSO or OAuth grant to cloud control plane, followed by directory or permissions enumeration |
||
| AN0019 |
Login to M365 or Google Workspace from CLI tools or unexpected source IPs, followed by mailbox or document access |
||
| AN0020 |
Remote access to third-party SaaS with OAuth or API tokens post-initial compromise, followed by sensitive data access or configuration changes |