Detections
Analytics
Account Manipulation: Additional Cloud Credentials
Description
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. [1][2][3] These credentials include both x509 keys and passwords. [1] With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Entra ID | Read-only | HTTPS | SPN/APP | ||
| Tenable Identity Exposure | Entra ID | Read-only | HTTPS | ROLES |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence
Technique: Account Manipulation
Sub-Technique: Additional Cloud Credentials
Platform: Entra ID
Products Required: Tenable Identity Exposure
Tenable Release Date: 2024 Q2