- Tactics
- Lateral Movement
- Platforms
- IaaS, Identity Provider, Office Suite, SaaS
- Reference
- attack.mitre.org/techniques/T1021.007
Description
Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.
In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Lateral Movement tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1021 — Remote Services
- T1072 — Software Deployment Tools
- T1080 — Taint Shared Content
- T1091 — Replication Through Removable Media
- T1210 — Exploitation of Remote Services
- T1534 — Internal Spearphishing
- T1550 — Use Alternate Authentication Material
- T1563 — Remote Service Session Hijacking
- T1570 — Lateral Tool Transfer