Esc
Cloud Account - T1136.003
(ATT&CK® Technique)
Definition
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1136003["Cloud Account"] --> |creates| CloudUserAccount["Cloud User Account"]; class T1136003 OffensiveTechniqueNode;
class CloudUserAccount ArtifactNode; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount";
click T1136003 href "/offensive-technique/attack/T1136.003/"; click CloudUserAccount href "/dao/artifact/d3f:CloudUserAccount"; T1136003["Cloud Account"] --> |creates| UserAccount["User Account"]; class T1136003 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1136003 href "/offensive-technique/attack/T1136.003/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; UserAccountPermissions["User Account Permissions"] -->
| restricts | CloudUserAccount["Cloud User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| may-isolate | T1136003["Cloud Account"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UnlockAccount["Unlock Account"] -->
| restores | CloudUserAccount["Cloud User Account"];
UnlockAccount["Unlock Account"] -.->
| may-restore | T1136003["Cloud Account"] ;
class UnlockAccount DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; AgentAuthentication["Agent Authentication"] -->
| strengthens | CloudUserAccount["Cloud User Account"];
AgentAuthentication["Agent Authentication"] -.->
| may-harden | T1136003["Cloud Account"] ;
class AgentAuthentication DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; AgentAuthentication["Agent Authentication"] -->
| strengthens | UserAccount["User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | CloudUserAccount["Cloud User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| may-restore | T1136003["Cloud Account"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AccountLocking["Account Locking"] -->
| disables | CloudUserAccount["Cloud User Account"];
AccountLocking["Account Locking"] -.->
| may-evict | T1136003["Cloud Account"] ;
class AccountLocking DefensiveTechniqueNode;
class CloudUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking";