Account Manipulation: Additional Cloud Roles

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5][4]

This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify an existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts. For example, in Azure AD environments, an adversary with the Application Administrator role can add Additional Cloud Credentials to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.[6]

ID: T1098.003
Sub-technique of:  T1098
Tactic: Persistence
Platforms: Azure AD, Google Workspace, IaaS, Office 365, SaaS
Contributors: Alex Parsons, Crowdstrike; Chris Romano, Crowdstrike; Clément Notin, Tenable; Microsoft Threat Intelligence Center (MSTIC); Pià Consigny, Tenable; Wojciech Lesicki
Version: 2.0
Created: 19 January 2020
Last Modified: 19 April 2022

Procedure Examples

ID Name Description
G0016 APT29

APT29 has granted company administrator privileges to a newly created service principal.[7]


ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1026 Privileged Account Management

Ensure that all accounts use the least privileges they require.


ID Data Source Data Component
DS0002 User Account User Account Modification

Collect activity logs from IAM services and cloud administrator accounts to identify unusual activity in the assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.