MITRE ATT&CK Technique
Description
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker) (Citation: Microsoft O365 Admin Roles) This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation) In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to [Create Account](https://attack.mitre.org/techniques/T1136) or modify a victim-owned account.(Citation: Invictus IR DangerDev 2024)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-19T16:59:45.362Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may add additional roles or permissions to an '
'adversary-controlled cloud account to maintain persistent '
'access to a tenant. For example, adversaries may update IAM '
'policies in cloud-based environments or add a new global '
'administrator in Office 365 environments.(Citation: AWS IAM '
'Policies and Permissions)(Citation: Google Cloud IAM '
'Policies)(Citation: Microsoft Support O365 Add Another Admin, '
'October 2019)(Citation: Microsoft O365 Admin Roles) With '
'sufficient permissions, a compromised account can gain almost '
'unlimited access to data and settings (including the ability '
'to reset the passwords of other admins).(Citation: Expel AWS '
'Attacker)\n'
'(Citation: Microsoft O365 Admin Roles) \n'
'\n'
'This account modification may immediately follow [Create '
'Account](https://attack.mitre.org/techniques/T1136) or other '
'malicious account activity. Adversaries may also modify '
'existing [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) that '
'they have compromised. This could lead to privilege '
'escalation, particularly if the roles added allow for lateral '
'movement to additional accounts.\n'
'\n'
'For example, in AWS environments, an adversary with '
'appropriate permissions may be able to use the '
'<code>CreatePolicyVersion</code> API to define a new version '
'of an IAM policy or the <code>AttachUserPolicy</code> API to '
'attach an IAM policy with additional or distinct permissions '
'to a compromised user account.(Citation: Rhino Security Labs '
'AWS Privilege Escalation)\n'
'\n'
'In some cases, adversaries may add roles to '
'adversary-controlled accounts outside the victim cloud '
'tenant. This allows these external accounts to perform '
'actions inside the victim tenant without requiring the '
'adversary to [Create '
'Account](https://attack.mitre.org/techniques/T1136) or modify '
'a victim-owned account.(Citation: Invictus IR DangerDev 2024)',
'external_references': [{'external_id': 'T1098.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1098/003'},
{'description': ' Brian Bahtiarian, David Blanton, '
'Britton Manahan and Kyle Pellett. '
'(2022, April 5). Incident report: '
'From CLI to console, chasing an '
'attacker in AWS. Retrieved April 7, '
'2022.',
'source_name': 'Expel AWS Attacker',
'url': 'https://expel.com/blog/incident-report-from-cli-to-console-chasing-an-attacker-in-aws/'},
{'description': 'Ako-Adjei, K., Dickhaus, M., '
'Baumgartner, P., Faigel, D., et. '
'al.. (2019, October 8). About admin '
'roles. Retrieved October 18, 2019.',
'source_name': 'Microsoft O365 Admin Roles',
'url': 'https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide'},
{'description': 'AWS. (n.d.). Policies and '
'permissions in IAM. Retrieved April '
'1, 2022.',
'source_name': 'AWS IAM Policies and Permissions',
'url': 'https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html'},
{'description': 'Google Cloud. (2022, March 31). '
'Understanding policies. Retrieved '
'April 1, 2022.',
'source_name': 'Google Cloud IAM Policies',
'url': 'https://cloud.google.com/iam/docs/policies'},
{'description': 'Invictus Incident Response. (2024, '
'January 31). The curious case of '
'DangerDev@protonmail.me. Retrieved '
'March 19, 2024.',
'source_name': 'Invictus IR DangerDev 2024',
'url': 'https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me'},
{'description': 'Microsoft. (n.d.). Add Another '
'Admin. Retrieved October 18, 2019.',
'source_name': 'Microsoft Support O365 Add Another '
'Admin, October 2019',
'url': 'https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d'},
{'description': 'Spencer Gietzen. (n.d.). AWS IAM '
'Privilege Escalation – Methods and '
'Mitigation. Retrieved May 27, 2022.',
'source_name': 'Rhino Security Labs AWS Privilege '
'Escalation',
'url': 'https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/'}],
'id': 'attack-pattern--2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:35.082Z',
'name': 'Additional Cloud Roles',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Microsoft Threat Intelligence Center (MSTIC)',
'Alex Parsons, Crowdstrike',
'Chris Romano, Crowdstrike',
'Wojciech Lesicki',
'Pià Consigny, Tenable',
'Clément Notin, Tenable',
'Praetorian',
'Alex Soler, AttackIQ',
'Arad Inbar, Fidelis Security',
'Arun Seelagan, CISA'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS', 'Identity Provider', 'Office Suite', 'SaaS'],
'x_mitre_version': '2.5'}