Last reviewed:
T1098.001 is the cloud-specific persistence move of adding attacker-controlled credentials, access keys, or certificates to a compromised cloud account. DCV's most distinctive signal is GCP SCC's SERVICE_ACCOUNT_ANOMALOUS_TOKEN_CREATION, which flags credential creation that bypasses normal provisioning workflows. The remediation template wires CloudTrail monitoring for CreateAccessKey, CreateLoginProfile, and AttachUserPolicy events, plus Config rules for access-key age. Add-credential persistence is among the highest-fidelity cloud breach signals once you have the right CloudTrail wiring in place.
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure / Entra ID. These credentials include both x509 keys and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.
In infrastructure-as-a-service (IaaS) environments, after gaining access through Cloud Accounts, adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP. This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.
Adversaries may also use the <code>CreateAccessKey</code> API in AWS or the <code>gcloud iam service-accounts keys create</code> command in GCP to add access keys to an account. Alternatively, they may use the <code>CreateLoginProfile</code> API in AWS to add a password that can be used to log into the AWS Management Console for Cloud Service Dashboard. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. Cloud Accounts). For example, in Entra ID environments, an adversary with the Application Administrator role can add a new set of credentials to their application's service principal. In doing so the adversary would be able to access the service principal’s roles and permissions, which may be different from those of the Application Administrator.
In AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials to Forge Web Credentials tied to the permissions of the original user account. These temporary credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.
In Entra ID environments with the app password feature enabled, adversaries may be able to add an app password to a user account. As app passwords are intended to be used with legacy devices that do not support multi-factor authentication (MFA), adding an app password can allow an adversary to bypass MFA requirements. Additionally, app passwords may remain valid even if the user’s primary password is reset.
Platforms: IaaS, Identity Provider, SaaS.
DCV maps 19 detections across 2 cloud providers to T1098.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 6 | 0.50 |
| GCP Security Command Center | GCP | 6 | 0.83 |
| AWS Security Hub | AWS | 4 | 0.85 |
| AWS GuardDuty | AWS | 2 | 0.80 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma ships 19 production-ready Sigma rules that detect T1098.001 across 4 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: Azure AD Application Credential Addition for Persistence
id: 13fdbcb8-5d98-4d7a-b36b-025eed673f4b
status: test
description: >
Detects addition of new credentials (passwords or certificates) to Azure AD
application registrations or service principals. Adversaries use this to
maintain persistent access to Azure environments via OAuth2 flows.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1098/001/
- https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.001
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName.value:
- Microsoft.KeyVault/vaults/secrets/write
- Microsoft.ManagedIdentity/userAssignedIdentities/write
status.value: Succeeded
condition: selection
falsepositives:
- DevOps teams adding certificates for automated deployment pipelines
- Scheduled certificate rotation for Azure App Service custom domains
level: high
T1098.001 is the cloud-specific persistence move of adding attacker-controlled credentials, access keys, or certificates to a compromised cloud account. DCV's most distinctive signal is GCP SCC's SERVICE_ACCOUNT_ANOMALOUS_TOKEN_CREATION, which flags credential creation that bypasses normal provisioning workflows. The remediation template wires CloudTrail monitoring for CreateAccessKey, CreateLoginProfile, and AttachUserPolicy events, plus Config rules for access-key age. Add-credential persistence is among the highest-fidelity cloud breach signals once you have the right CloudTrail wiring in place.
DCV maps 19 cloud-native detections to T1098.001 across 2 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, GCP Chronicle and GCP Security Command Center.
T1098.001 is part of MITRE ATT&CK TA0003 Persistence: How adversaries keep their foothold across reboots and credential rotations.
CloudSigma ships 4 validated Sigma rules for T1098.001 across AWS CloudTrail, Azure Activity, GCP Audit Logs and Kubernetes Audit. Each rule is validated against its source SIEM dialect before publication.