Info
ID: AT-GA006.001
Tactic: Gain Access
Technique: Valid Accounts
Platforms: IaaS
Cloud Accounts
Cloud accounts represent a significant attack vector within the "Gain Access" phase where adversaries leverage compromised or created credentials to access cloud environments and their resources. This sub-technique of "Valid Accounts" involves either compromising existing credentials through methods like phishing, credential stuffing, or password spraying; creating accounts through social engineering or exploitation of misconfigured cloud services; or maintaining persistence through service accounts with elevated privileges. Once obtained, these legitimate credentials allow adversaries to bypass traditional security controls, operate under the guise of authorized users, access sensitive data across multiple cloud services (IaaS, PaaS, SaaS), and potentially move laterally within the cloud infrastructure. The impact is particularly severe due to the extensive permissions and cross-service access that cloud accounts often possess, especially in environments with inadequate permission boundaries or monitoring capabilities.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | Harvesting of Developer1's AWS credentials from the compromised macOS workstation, providing legitimate access to Safe{Wallet}'s AWS infrastructure. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-Factor Authentication | Require MFA for every interactive, API, and console login; bind service-account tokens to workload identity or hardware keys so stolen credentials cannot be reused. |
| M1026 | Privileged Account Management | Implement least-privilege roles, just-in-time elevation, and continuous access reviews so that any compromised account offers minimal blast radius within the IaaS estate. |
| M1036 | Account Use Policies | Enforce session-lifetime limits, geo/IP allow-lists, and automated key rotation to restrict when and where credentials may be used, frustrating long-lived adversary sessions. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0028 | Logon Session – Creation / Metadata | Correlate active sessions across cloud IdPs with physical-access or VPN telemetry; flag logons whose source IP, device fingerprint, or geolocation is inconsistent with the user’s presence (e.g., session token issued while the badge system shows the user off-site). |
| DS0002 | User Account – Authentication | Detect anomalous sign-ins: impossible-travel, first-seen device, unmanaged OS, or automation-tool user agents (python-requests, curl, aws-cli). Elevate severity if the session is immediately followed by privileged API calls. |
| DS0025 | Cloud Service – Modification | Alert when IAM roles, policies, or access keys are created/updated in a way that broadens privileges and lacks a corresponding change-ticket in CMDB or approval workflow. |
| DS0132 | Network Traffic – Flow | Baseline source ASN / region for each service or access key; trigger when API traffic originates from residential, VPS, or never-seen regions — especially within minutes of a password reset or MFA bypass. |
| DS0059 | Cloud Storage – Access | Raise an alert when a principal downloads data volumes or object counts that exceed historical norms or performs fetching loops across many buckets immediately after key creation. |