Detections
Analytics
Account Manipulation: Additional Cloud Roles (Azure)
Description
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Entra ID | Read-only | HTTPS | Application permissions | ||
| Tenable Cloud Security | Cloud | Read-only | HTTPS | List of IAM Policy |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence, Privilege Escalation
Technique: Account Manipulation
Sub-Technique: Additional Cloud Roles
Platform: Entra ID
Products Required: Tenable Cloud Security and Tenable Identity Exposure
Tenable Release Date: 2024 Q2