1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Additional Cloud Credentials

Account Manipulation: Additional Cloud Credentials

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration
T1098.006 Additional Container Cluster Roles
T1098.007 Additional Local or Domain Groups

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID.[1][2][3] These credentials include both x509 keys and passwords.[1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.[4]

In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.[5] This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.[6][7]

Adversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. Alternatively, they may use the CreateLoginProfile API in AWS to add a password that can be used to log into the AWS Management Console for Cloud Service Dashboard.[8][9] If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts).[10][11] For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.[12]

In AWS environments, adversaries with the appropriate permissions may also use the sts:GetFederationToken API call to create a temporary set of credentials to Forge Web Credentials tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
[13]

In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account.[14] As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.[15]

ID: T1098.001
Sub-technique of:  T1098
Platforms: IaaS, Identity Provider, SaaS
Contributors: Alex Soler, AttackIQ; Arad Inbar, Fidelis Security; Arun Seelagan, CISA; Dylan Silva, AWS Security; Expel; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Oleg Kolesnikov, Securonix; Zur Ulianitzky, XM Cyber
Version: 2.8
Created: 19 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.[16]
S1091 Pacu

Pacu can generate SSH and API keys for AWS infrastructure and additional API keys for other IAM users.[17]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 added credentials to OAuth Applications and Service Principals.[18][19]
G1053 Storm-0501

Storm-0501 has reset the password of identified administrator accounts that lack MFA and registered their own MFA method.[20]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Remove unnecessary and potentially abusable authentication mechanisms where possible. For example, in Entra ID environments, disable the app password feature unless explicitly required.

M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.[6]
M1030 Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.
M1026 Privileged Account Management

Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
M1018 User Account Management

Ensure that low-privileged user accounts do not have permission to add access keys to accounts. In AWS environments, prohibit users from calling the sts:GetFederationToken API unless explicitly required.[13]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0531 Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS AN1469

Addition of credentials (keys, app passwords, x.509 certs) to existing cloud accounts, service principals, or OAuth apps via portal or API by non-standard identities or IP ranges.
AN1470

Cloud API usage to create/import SSH keys or generate new access keys (CreateAccessKey, ImportKeyPair, CreateLoginProfile) from non-console access or unusual principals.
AN1471

Credential-related configuration changes in productivity apps, such as API key creation in Google Workspace, app tokens in Slack, or user-level OAuth credentials in M365.

References

  1. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.
  2. Kunz, Bryce. (2018, May 11). Blue Cloud of Death: Red Teaming Azure. Retrieved October 23, 2019.
  3. Kunz, Bruce. (2018, October 14). Blue Cloud of Death: Red Teaming Azure. Retrieved November 21, 2019.
  4. Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020.
  5. Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.
  6. A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
  7. S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.
  8. Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.
  9. Detecting AI resource-hijacking with Composite Alerts. (2024, June 6). Lacework Labs. Retrieved July 1, 2024.
  10. Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.
  1. SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved July 12, 2023.
  2. Andy Robbins. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Retrieved April 1, 2022.
  3. Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.
  4. Ofir Rozmann, Asli Koksal, Adrian Hernandez, Sarah Bock, and Jonathan Leathery. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved May 28, 2024.
  5. Microsoft. (2023, October 23). Enforce Microsoft Entra multifactor authentication with legacy applications using app passwords. Retrieved May 28, 2024.
  6. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  7. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  8. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  9. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  10. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.