{'created': '2022-05-27T14:30:01.904Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may compromise cloud accounts that can be used '
                'during targeting. Adversaries can use compromised cloud '
                'accounts to further their operations, including leveraging '
                'cloud storage services such as Dropbox, Microsoft OneDrive, '
                'or AWS S3 buckets for [Exfiltration to Cloud '
                'Storage](https://attack.mitre.org/techniques/T1567/002) or to '
                '[Upload '
                'Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud '
                'accounts can also be used in the acquisition of '
                'infrastructure, such as [Virtual Private '
                'Server](https://attack.mitre.org/techniques/T1583/003)s or '
                '[Serverless](https://attack.mitre.org/techniques/T1583/007) '
                'infrastructure. Additionally, cloud-based messaging services '
                'such as Twilio, SendGrid, AWS End User Messaging, AWS SNS '
                '(Simple Notification Service), or AWS SES (Simple Email '
                'Service) may be leveraged for spam or '
                '[Phishing](https://attack.mitre.org/techniques/T1566).(Citation: '
                'Palo Alto Unit 42 Compromised Cloud Compute Credentials '
                '2022)(Citation: Netcraft SendGrid 2024) Compromising cloud '
                'accounts may allow adversaries to develop sophisticated '
                'capabilities without managing their own servers.(Citation: '
                'Awake Security C2 Cloud)\n'
                '\n'
                'A variety of methods exist for compromising cloud accounts, '
                'such as gathering credentials via [Phishing for '
                'Information](https://attack.mitre.org/techniques/T1598), '
                'purchasing credentials from third-party sites, conducting '
                '[Password '
                'Spraying](https://attack.mitre.org/techniques/T1110/003) '
                'attacks, or attempting to [Steal Application Access '
                'Token](https://attack.mitre.org/techniques/T1528)s.(Citation: '
                'MSTIC Nobelium Oct 2021) Prior to compromising cloud '
                'accounts, adversaries may conduct Reconnaissance to inform '
                'decisions about which accounts to compromise to further their '
                'operation. In some cases, adversaries may target privileged '
                'service provider accounts with the intent of leveraging a '
                '[Trusted '
                'Relationship](https://attack.mitre.org/techniques/T1199) '
                'between service providers and their customers.(Citation: '
                'MSTIC Nobelium Oct 2021)',
 'external_references': [{'external_id': 'T1586.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1586/003'},
                         {'description': 'Dror Alon. (2022, December 8). '
                                         'Compromised Cloud Compute '
                                         'Credentials: Case Studies From the '
                                         'Wild. Retrieved March 9, 2023.',
                          'source_name': 'Palo Alto Unit 42 Compromised Cloud '
                                         'Compute Credentials 2022',
                          'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'},
                         {'description': 'Gary Golomb and Tory Kei. (n.d.). '
                                         'Threat Hunting Series: Detecting '
                                         'Command & Control in the Cloud. '
                                         'Retrieved May 27, 2022.',
                          'source_name': 'Awake Security C2 Cloud',
                          'url': 'https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/'},
                         {'description': 'Graham Edgecombe. (2024, February '
                                         '7). Phishception – SendGrid is '
                                         'abused to host phishing attacks '
                                         'impersonating itself. Retrieved '
                                         'October 15, 2024.',
                          'source_name': 'Netcraft SendGrid 2024',
                          'url': 'https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/'},
                         {'description': 'Microsoft Threat Intelligence '
                                         'Center. (2021, October 25). NOBELIUM '
                                         'targeting delegated administrative '
                                         'privileges to facilitate broader '
                                         'attacks. Retrieved March 25, 2022.',
                          'source_name': 'MSTIC Nobelium Oct 2021',
                          'url': 'https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/'}],
 'id': 'attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'resource-development'}],
 'modified': '2025-10-24T17:48:41.215Z',
 'name': 'Cloud Accounts',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Francesco Bigarella'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.1'}