Esc
Additional Cloud Roles - T1098.003

(ATT&CK® Technique)
Definition

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1098003["Additional Cloud Roles"] --> |modifies| GlobalUserAccount["Global User Account"]; class T1098003 OffensiveTechniqueNode;
        class GlobalUserAccount ArtifactNode; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount";
        click T1098003 href "/offensive-technique/attack/T1098.003/"; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount";    T1098003["Additional Cloud Roles"] --> |modifies| UserAccount["User Account"]; class T1098003 OffensiveTechniqueNode;
        class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
        click T1098003 href "/offensive-technique/attack/T1098.003/"; click UserAccount href "/dao/artifact/d3f:UserAccount";          AccountLocking["Account Locking"] -->
          | disables | GlobalUserAccount["Global User Account"];

          AccountLocking["Account Locking"] -.->
            | May Evict | T1098003["Additional Cloud Roles"] ;
          class AccountLocking DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking"; UserAccountPermissions["User Account Permissions"] -->
          | restricts | GlobalUserAccount["Global User Account"];

          UserAccountPermissions["User Account Permissions"] -.->
            | May Harden | T1098003["Additional Cloud Roles"] ;
          class UserAccountPermissions DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; BiometricAuthentication["Biometric Authentication"] -->
          | authenticates | GlobalUserAccount["Global User Account"];

          BiometricAuthentication["Biometric Authentication"] -.->
            | May Harden | T1098003["Additional Cloud Roles"] ;
          class BiometricAuthentication DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | authenticates | GlobalUserAccount["Global User Account"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | May Harden | T1098003["Additional Cloud Roles"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; One-timePassword["One-time Password"] -->
          | authenticates | GlobalUserAccount["Global User Account"];

          One-timePassword["One-time Password"] -.->
            | May Harden | T1098003["Additional Cloud Roles"] ;
          class One-timePassword DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click One-timePassword href "/technique/d3f:One-timePassword";                AccountLocking["Account Locking"] -->
          | disables | UserAccount["User Account"];

          
          class AccountLocking DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click AccountLocking href "/technique/d3f:AccountLocking";   BiometricAuthentication["Biometric Authentication"] -->
          | authenticates | UserAccount["User Account"];

          
          class BiometricAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click BiometricAuthentication href "/technique/d3f:BiometricAuthentication";  Multi-factorAuthentication["Multi-factor Authentication"] -->
          | authenticates | UserAccount["User Account"];

          
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication";  One-timePassword["One-time Password"] -->
          | authenticates | UserAccount["User Account"];

          
          class One-timePassword DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click One-timePassword href "/technique/d3f:One-timePassword";                                          StrongPasswordPolicy["Strong Password Policy"] -->
          | strengthens | GlobalUserAccount["Global User Account"];

          StrongPasswordPolicy["Strong Password Policy"] -.->
            | May Harden | T1098003["Additional Cloud Roles"] ;
          class StrongPasswordPolicy DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy";    StrongPasswordPolicy["Strong Password Policy"] -->
          | strengthens | UserAccount["User Account"];

          
          class StrongPasswordPolicy DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy";                DomainAccountMonitoring["Domain Account Monitoring"] -->
          | monitors | GlobalUserAccount["Global User Account"];

          DomainAccountMonitoring["Domain Account Monitoring"] -.->
            | May Detect | T1098003["Additional Cloud Roles"] ;
          class DomainAccountMonitoring DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring";               RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | GlobalUserAccount["Global User Account"];

          RestoreUserAccountAccess["Restore User Account Access"] -.->
            | May Restore | T1098003["Additional Cloud Roles"] ;
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess";       UserAccountPermissions["User Account Permissions"] -->
          | restricts | UserAccount["User Account"];

          
          class UserAccountPermissions DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UserAccountPermissions href "/technique/d3f:UserAccountPermissions";   RestoreUserAccountAccess["Restore User Account Access"] -->
          | restores | UserAccount["User Account"];

          
          class RestoreUserAccountAccess DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess";                    UnlockAccount["Unlock Account"] -->
          | restores | GlobalUserAccount["Global User Account"];

          UnlockAccount["Unlock Account"] -.->
            | May Restore | T1098003["Additional Cloud Roles"] ;
          class UnlockAccount DefensiveTechniqueNode;
          class GlobalUserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";    UnlockAccount["Unlock Account"] -->
          | restores | UserAccount["User Account"];

          
          class UnlockAccount DefensiveTechniqueNode;
          class UserAccount ArtifactNode;
          click UnlockAccount href "/technique/d3f:UnlockAccount";
json