Esc
Cloud Accounts - T1078.004
(ATT&CK® Technique)
Definition
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1078004["Cloud Accounts"] --> |uses| UserAccount["User Account"]; class T1078004 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1078004 href "/offensive-technique/attack/T1078.004/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1078004["Cloud Accounts"] --> |produces| Authentication["Authentication"]; class T1078004 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1078004 href "/offensive-technique/attack/T1078.004/"; click Authentication href "/dao/artifact/d3f:Authentication"; T1078004["Cloud Accounts"] --> |produces| Authorization["Authorization"]; class T1078004 OffensiveTechniqueNode;
class Authorization ArtifactNode; click Authorization href "/dao/artifact/d3f:Authorization";
click T1078004 href "/offensive-technique/attack/T1078.004/"; click Authorization href "/dao/artifact/d3f:Authorization"; T1078004["Cloud Accounts"] --> |uses| CloudUserAccount["Cloud User Account"]; class T1078004 OffensiveTechniqueNode;
class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
click T1078004 href "/offensive-technique/attack/T1078.004/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| May Restore | T1078004["Cloud Accounts"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | CloudUserAccount["Cloud User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1078004["Cloud Accounts"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; AuthorizationEventThresholding["Authorization Event Thresholding"] -->
| analyzes | Authorization["Authorization"];
AuthorizationEventThresholding["Authorization Event Thresholding"] -.->
| May Detect | T1078004["Cloud Accounts"] ;
class AuthorizationEventThresholding DefensiveTechniqueNode;
class Authorization ArtifactNode;
click AuthorizationEventThresholding href "/technique/d3f:AuthorizationEventThresholding"; JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
JobFunctionAccessPatternAnalysis["Job Function Access Pattern Analysis"] -.->
| May Detect | T1078004["Cloud Accounts"] ;
class JobFunctionAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click JobFunctionAccessPatternAnalysis href "/technique/d3f:JobFunctionAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1078004["Cloud Accounts"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authorization["Authorization"];
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1078004["Cloud Accounts"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authorization["Authorization"];
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authorization ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; UserAccountPermissions["User Account Permissions"] -->
| restricts | CloudUserAccount["Cloud User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| May Harden | T1078004["Cloud Accounts"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| May Harden | T1078004["Cloud Accounts"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; One-timePassword["One-time Password"] -->
| authenticates | UserAccount["User Account"];
One-timePassword["One-time Password"] -.->
| May Harden | T1078004["Cloud Accounts"] ;
class One-timePassword DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
class One-timePassword DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | UserAccount["User Account"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1078004["Cloud Accounts"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | CloudUserAccount["Cloud User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | UserAccount["User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| May Evict | T1078004["Cloud Accounts"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | CloudUserAccount["Cloud User Account"];
class AccountLocking DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | UserAccount["User Account"];
BiometricAuthentication["Biometric Authentication"] -.->
| May Harden | T1078004["Cloud Accounts"] ;
class BiometricAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | CloudUserAccount["Cloud User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
UnlockAccount["Unlock Account"] -.->
| May Restore | T1078004["Cloud Accounts"] ;
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | CloudUserAccount["Cloud User Account"];
class UnlockAccount DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";