1. Home
  2. Techniques
  3. Enterprise
  4. Account Manipulation
  5. Additional Cloud Roles

Account Manipulation: Additional Cloud Roles

ID Name
T1098.001 Additional Cloud Credentials
T1098.002 Additional Email Delegate Permissions
T1098.003 Additional Cloud Roles
T1098.004 SSH Authorized Keys
T1098.005 Device Registration
T1098.006 Additional Container Cluster Roles
T1098.007 Additional Local or Domain Groups

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5]
[4]

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.

For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.[6]

In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.[7]

ID: T1098.003
Sub-technique of:  T1098
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Contributors: Alex Parsons, Crowdstrike; Alex Soler, AttackIQ; Arad Inbar, Fidelis Security; Arun Seelagan, CISA; Chris Romano, Crowdstrike; Clément Notin, Tenable; Microsoft Threat Intelligence Center (MSTIC); Pià Consigny, Tenable; Praetorian; Wojciech Lesicki
Version: 2.5
Created: 19 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0027 C0027

During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.[8]
G1004 LAPSUS$

LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.[9]
G1015 Scattered Spider

Scattered Spider has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.[10]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 granted company administrator privileges to a newly created service principle.[11]
G1053 Storm-0501

Storm-0501 has elevated their access to Azure resources using Microsoft.Authorization/elevateAccess/action and Microsoft.Authorization/roleAssignments/write operations to gain User Access Administrator and Owner Azure roles over the victims’ Azure subscriptions.[12]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.
M1026 Privileged Account Management

Ensure that all accounts use the least privileges they require. In Azure AD environments, consider using Privileged Identity Management (PIM) to define roles that require two or more approvals before assignment to users.[13]
M1018 User Account Management

Ensure that low-privileged user accounts do not have permissions to add permissions to accounts or update IAM policies.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0277 Detection Strategy for Role Addition to Cloud Accounts AN0771

Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.
AN0772

Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.
AN0773

Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.

References

  1. AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.
  2. Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.
  3. Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
  4. Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
  5. Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.
  6. Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.
  7. Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.
  1. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  2. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  3. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  4. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  5. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  6. Microsoft. (2023, January 30). Approve or deny requests for Azure AD roles in Privileged Identity Management. Retrieved February 21, 2023.