Last reviewed:
T1136.003 is persistence by creating a fresh cloud identity: a new IAM user, service principal or service account the attacker controls outside the victim's joiner-leaver process. Created accounts survive the password resets that evict the original foothold. DCV watches the GCP side through Security Command Center's IAM_CUSTOM_ROLE_CREATED finding and pairs Azure CIS guest-user review controls with MFA enforcement checks from AWS Config. A new principal followed by immediate credential issuance is the high-fidelity combination worth paging on.
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment. In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for Temporary Elevated Cloud Access. While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.
Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials or assigning Additional Cloud Roles.
Platforms: IaaS, SaaS, Office Suite, Identity Provider.
DCV maps 7 detections across 3 cloud providers to T1136.003. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 4 | 0.50 |
| Azure Regulatory Compliance | Azure | 2 | 0.88 |
| GCP Security Command Center | GCP | 1 | 0.80 |
CloudSigma has coverage metadata for 7 T1136.003 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1136.003, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1136.003 is persistence by creating a fresh cloud identity: a new IAM user, service principal or service account the attacker controls outside the victim's joiner-leaver process. Created accounts survive the password resets that evict the original foothold. DCV watches the GCP side through Security Command Center's IAM_CUSTOM_ROLE_CREATED finding and pairs Azure CIS guest-user review controls with MFA enforcement checks from AWS Config. A new principal followed by immediate credential issuance is the high-fidelity combination worth paging on.
DCV maps 7 cloud-native detections to T1136.003 across 3 cloud providers, drawn from AWS Config Rules, Azure Regulatory Compliance and GCP Security Command Center.
T1136.003 is part of MITRE ATT&CK TA0003 Persistence: How adversaries keep their foothold across reboots and credential rotations.
CloudSigma ships 3 validated Sigma rules for T1136.003 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.