detection.wiki

Account Manipulation: Additional Cloud Roles T1098.003

Tactics: Persistence, Privilege Escalation

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).

Authoring guide

Patterns shared across the 107 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (100 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
aws::eventName29in 25, eq 4AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, PutGroupPolicy, PutRolePolicy
aws::errorCode28is_null 26, eq 1, is_not_null 1AccessDenied
data_stream.dataset27eq 27aws.cloudtrail, azure.auditlogs, google_workspace.admin, o365.audit, azure.activitylogs
EventType26eq 22, in 2, starts_with 1, wildcard 1AttachRolePolicy, AttachUserPolicy, group.privilege.grant, org.add_member, ASSIGN_ROLE
aws::errorMessage26is_null 26
Action22contains 22, starts_with 12dynamodb:create, kms:delete, cloudformation:, cloudformation:create, cloudformation:createstack
Condition22eq 20, is_null 2
Effect22eq 22Allow
Resource22eq 22*
event.outcome19eq 16, in 3success, Success
sourcetype19eq 19azure:monitor:aad, o365:management:activity
Provider_Name14eq 13, in 1iam.amazonaws.com, rolesanywhere.amazonaws.com, Exchange, OneDrive, SharePoint
operationName11eq 9, starts_with 2, contains 1Add member to role, Add app role assignment to service principal, Add member to role completed (PIM activation), Consent to application, MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE
EventID10eq 10Add member to role, Add member to role., ASSIGN_ROLE, Add member to role outside of PIM (permanent), Add user
Operation10eq 7, in 3Add member to role., Update application., Add app role assignment to service principal., Add eligible member to role., Add application.

Top indicator values (308 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Effecteq
Allow
2227
Resourceeq
*
2223
event.outcomeeq
success
16251
aws::eventNamein
AttachGroupPolicy
1417
aws::eventNamein
AttachRolePolicy
1417
aws::eventNamein
AttachUserPolicy
1417
aws::eventNamein
CreatePolicy
1114
aws::eventNamein
CreatePolicyVersion
1114
aws::eventNamein
PutGroupPolicy
1112
aws::eventNamein
PutRolePolicy
1112
aws::eventNamein
PutUserPolicy
1112
Actioncontains
iam:passrole
1010
Actioncontains
kms:delete
33
Actioncontains
cloudformation:createstack
22
Actionstarts_with
iam:
1010
sourcetypeeq
azure:monitor:aad
1047
sourcetypeeq
o365:management:activity
980
data_stream.dataseteq
aws.cloudtrail
9141
data_stream.dataseteq
azure.auditlogs
420
data_stream.dataseteq
google_workspace.admin
318
data_stream.dataseteq
o365.audit
345
Provider_Nameeq
iam.amazonaws.com
825
Workloadeq
AzureActiveDirectory
731
security_result.actioneq
ALLOW
6102
aws::requestParameterscontains
policyarn=arn:aws:iam::aws:policy/administratoraccess
33
event.outcomein
Success
337
event.outcomein
success
338
operationNameeq
Add member to role
33
"{}.RequiredAppPermissions{}.EntitlementId"eq
dc890d15-9560-4a4c-9b7f-a736ec74ec40
22
"{}.ResourceAppId"eq
00000002-0000-0ff1-ce00-000000000000
22

Exclusions (4 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
aws::requestParameterscontains
sourcetype=aws_acm_pca
1
policyArncontains
admin
1
policyArncontains
fullaccess
1
policyArnstarts_with
arn:aws:iam::aws:policy/AdministratorAccess
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 9 rules

Elastic 30 rules

Splunk 19 rules

Kusto 29 rules

YARA-L 9 rules

Panther 11 rules