MITRE ATT&CK Technique
Description
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices. An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-13T20:36:57.378Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Valid accounts in cloud environments may allow adversaries to '
'perform actions to achieve Initial Access, Persistence, '
'Privilege Escalation, or Defense Evasion. Cloud accounts are '
'those created and configured by an organization for use by '
'users, remote support, services, or for administration of '
'resources within a cloud service provider or SaaS '
'application. Cloud Accounts can exist solely in the cloud; '
'alternatively, they may be hybrid-joined between on-premises '
'systems and the cloud through syncing or federation with '
'other identity sources such as Windows Active '
'Directory.(Citation: AWS Identity Federation)(Citation: '
'Google Federating GC)(Citation: Microsoft Deploying AD '
'Federation)\n'
'\n'
'Service or user accounts may be targeted by adversaries '
'through [Brute '
'Force](https://attack.mitre.org/techniques/T1110), '
'[Phishing](https://attack.mitre.org/techniques/T1566), or '
'various other means to gain access to the environment. '
'Federated or synced accounts may be a pathway for the '
'adversary to affect both on-premises systems and cloud '
'environments - for example, by leveraging shared credentials '
'to log onto [Remote '
'Services](https://attack.mitre.org/techniques/T1021). High '
'privileged cloud accounts, whether federated, synced, or '
'cloud-only, may also allow pivoting to on-premises '
'environments by leveraging SaaS-based [Software Deployment '
'Tools](https://attack.mitre.org/techniques/T1072) to run '
'commands on hybrid-joined devices.\n'
'\n'
'An adversary may create long lasting [Additional Cloud '
'Credentials](https://attack.mitre.org/techniques/T1098/001) '
'on a compromised cloud account to maintain persistence in the '
'environment. Such credentials may also be used to bypass '
'security controls such as multi-factor authentication. \n'
'\n'
'Cloud accounts may also be able to assume [Temporary Elevated '
'Cloud Access](https://attack.mitre.org/techniques/T1548/005) '
'or other privileges through various means within the '
'environment. Misconfigurations in role assignments or role '
'assumption policies may allow an adversary to use these '
'mechanisms to leverage permissions outside the intended scope '
'of the account. Such over privileged accounts may be used to '
'harvest sensitive data from online storage accounts and '
'databases through [Cloud '
'API](https://attack.mitre.org/techniques/T1059/009) or other '
'methods. For example, in Azure environments, adversaries may '
'target Azure Managed Identities, which allow associated Azure '
'resources to request access tokens. By compromising a '
'resource with an attached Managed Identity, such as an Azure '
'VM, adversaries may be able to [Steal Application Access '
'Token](https://attack.mitre.org/techniques/T1528)s to move '
'laterally across the cloud environment.(Citation: SpecterOps '
'Managed Identity 2022)',
'external_references': [{'external_id': 'T1078.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1078/004'},
{'description': 'Amazon. (n.d.). Identity Federation '
'in AWS. Retrieved March 13, 2020.',
'source_name': 'AWS Identity Federation',
'url': 'https://aws.amazon.com/identity/federation/'},
{'description': 'Andy Robbins. (2022, June 6). '
'Managed Identity Attack Paths, Part '
'1: Automation Accounts. Retrieved '
'March 18, 2025.',
'source_name': 'SpecterOps Managed Identity 2022',
'url': 'https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c'},
{'description': 'Google. (n.d.). Federating Google '
'Cloud with Active Directory. '
'Retrieved March 13, 2020.',
'source_name': 'Google Federating GC',
'url': 'https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction'},
{'description': 'Microsoft. (n.d.). Deploying Active '
'Directory Federation Services in '
'Azure. Retrieved March 13, 2020.',
'source_name': 'Microsoft Deploying AD Federation',
'url': 'https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs'}],
'id': 'attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'initial-access'}],
'modified': '2025-10-24T17:49:35.682Z',
'name': 'Cloud Accounts',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jon Sternstein, Stern Security',
'Arun Seelagan, CISA',
'Eliraz Levi, Hunters Security',
'Alon Klayman, Hunters Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS', 'Identity Provider', 'Office Suite', 'SaaS'],
'x_mitre_version': '1.9'}