Last reviewed:
T1098.003 is privilege escalation by role grant performed for staying power: a foothold identity attaches administrator roles to an account the attacker controls. Few cloud-takeover write-ups omit it. DCV observes the move through GuardDuty's Persistence:IAMUser finding variants covering anomalous permission changes, and on Azure through the Defender check that service principals carry no administrative roles, backed by CIS privileged-identity-management review controls. The grant event is the alarm; by the time the new role is exercised you are reading history.
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.
Platforms: IaaS, Identity Provider, Office Suite, SaaS.
DCV maps 6 detections across 2 cloud providers to T1098.003. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 3 | 0.82 |
| Azure Regulatory Compliance | Azure | 2 | 0.90 |
| Microsoft Defender for Cloud | Azure | 1 | 0.90 |
CloudSigma has coverage metadata for 6 T1098.003 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1098.003, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1098.003 is privilege escalation by role grant performed for staying power: a foothold identity attaches administrator roles to an account the attacker controls. Few cloud-takeover write-ups omit it. DCV observes the move through GuardDuty's Persistence:IAMUser finding variants covering anomalous permission changes, and on Azure through the Defender check that service principals carry no administrative roles, backed by CIS privileged-identity-management review controls. The grant event is the alarm; by the time the new role is exercised you are reading history.
DCV maps 6 cloud-native detections to T1098.003 across 2 cloud providers, drawn from AWS GuardDuty, Azure Regulatory Compliance and Microsoft Defender for Cloud.
T1098.003 is part of MITRE ATT&CK TA0003 Persistence: How adversaries keep their foothold across reboots and credential rotations.
CloudSigma ships 3 validated Sigma rules for T1098.003 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.