Esc

Cloud Accounts - T1078.004

(ATT&CK® Technique)

Definition

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1078004["Cloud Accounts"] --> |uses| UserAccount["User Account"]; class T1078004 OffensiveTechniqueNode;
        class UserAccount ArtifactNode; click UserAccount href "../../../dao/artifact/d3f:UserAccount";
        click T1078004 href "../../../offensive-technique/attack/T1078.004/"; click UserAccount href "../../../dao/artifact/d3f:UserAccount"; T1078004["Cloud Accounts"] --> |uses| CloudUserAccount["Cloud User Account"]; class T1078004 OffensiveTechniqueNode;
        class CloudUserAccount ArtifactNode; click CloudUserAccount href "../../../dao/artifact/d3f:CloudUserAccount";
        click T1078004 href "../../../offensive-technique/attack/T1078.004/"; click CloudUserAccount href "../../../dao/artifact/d3f:CloudUserAccount";                AccountLocking["Account Locking"] -->
          | disables | UserAccount["User Account"];

          AccountLocking["Account Locking"] -.->
            | may-evict | T1078004["Cloud Accounts"] ;
          class AccountLocking DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AccountLocking href "../../../technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
          | disables | CloudUserAccount["Cloud User Account"];

          
          class AccountLocking DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click AccountLocking href "../../../technique/d3f:AccountLocking"; UnlockAccount["Unlock Account"] -->
          | restores | CloudUserAccount["Cloud User Account"];

          UnlockAccount["Unlock Account"] -.->
            | may-restore | T1078004["Cloud Accounts"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click UnlockAccount href "../../../technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
          | restores | UserAccount["User Account"];

          
          class UnlockAccount DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UnlockAccount href "../../../technique/d3f:UnlockAccount"; ChangeDefaultPassword["Change Default Password"] -->
          | strengthens | UserAccount["User Account"];

          ChangeDefaultPassword["Change Default Password"] -.->
            | may-harden | T1078004["Cloud Accounts"] ;
          class ChangeDefaultPassword DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click ChangeDefaultPassword href "../../../technique/d3f:ChangeDefaultPassword"; ChangeDefaultPassword["Change Default Password"] -->
          | strengthens | CloudUserAccount["Cloud User Account"];

          
          class ChangeDefaultPassword DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click ChangeDefaultPassword href "../../../technique/d3f:ChangeDefaultPassword";                                                         AgentAuthentication["Agent Authentication"] -->
          | strengthens | UserAccount["User Account"];

          AgentAuthentication["Agent Authentication"] -.->
            | may-harden | T1078004["Cloud Accounts"] ;
          class AgentAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AgentAuthentication href "../../../technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
          | strengthens | CloudUserAccount["Cloud User Account"];

          
          class AgentAuthentication DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click AgentAuthentication href "../../../technique/d3f:AgentAuthentication";                 RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | UserAccount["User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | may-restore | T1078004["Cloud Accounts"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click RestoreUserAccountAccess href "../../../technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | CloudUserAccount["Cloud User Account"];

          
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "../../../technique/d3f:RestoreUserAccountAccess"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | UserAccount["User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | may-isolate | T1078004["Cloud Accounts"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UserAccountPermissions href "../../../technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | CloudUserAccount["Cloud User Account"];

          
          class UserAccountPermissions DefensiveTechniqueNode;
          class CloudUserAccount ArtifactNode;
          click UserAccountPermissions href "../../../technique/d3f:UserAccountPermissions";

json