MITRE ATT&CK Technique
Description
Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud) Creating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-05-27T14:06:05.130Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may create accounts with cloud providers that can '
'be used during targeting. Adversaries can use cloud accounts '
'to further their operations, including leveraging cloud '
'storage services such as Dropbox, MEGA, Microsoft OneDrive, '
'or AWS S3 buckets for [Exfiltration to Cloud '
'Storage](https://attack.mitre.org/techniques/T1567/002) or to '
'[Upload '
'Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud '
'accounts can also be used in the acquisition of '
'infrastructure, such as [Virtual Private '
'Server](https://attack.mitre.org/techniques/T1583/003)s or '
'[Serverless](https://attack.mitre.org/techniques/T1583/007) '
'infrastructure. Establishing cloud accounts may allow '
'adversaries to develop sophisticated capabilities without '
'managing their own servers.(Citation: Awake Security C2 '
'Cloud)\n'
'\n'
'Creating [Cloud '
'Accounts](https://attack.mitre.org/techniques/T1585/003) may '
'also require adversaries to establish [Email '
'Accounts](https://attack.mitre.org/techniques/T1585/002) to '
'register with the cloud provider. ',
'external_references': [{'external_id': 'T1585.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1585/003'},
{'description': 'Gary Golomb and Tory Kei. (n.d.). '
'Threat Hunting Series: Detecting '
'Command & Control in the Cloud. '
'Retrieved May 27, 2022.',
'source_name': 'Awake Security C2 Cloud',
'url': 'https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/'}],
'id': 'attack-pattern--926d8cfd-1d0d-4da2-ab49-3ca10ec3f3b5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:06.502Z',
'name': 'Cloud Accounts',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Francesco Bigarella'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}