MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Defense Evasion/ T1078.004

T1078.004Cloud Accounts

T1078.004 — Cloud Accounts is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 66 detection use cases covering it and 18 threat-intel articles citing it.

Defense EvasionPersistencePrivilege EscalationInitial Access

View on the matrix → Filter Detection Library MITRE official spec ↗

66Use cases

18Articles

0Sub-techniques

4Tactics

↑ Parent technique: T1078 · Valid Accounts

Use cases covering this technique (66)

Abnormal Security: login from new location Internal delivery · alerting DD Auth0 impossible-travel sign-in Internal delivery · alerting DD Impossible travel observed for IAM user Internal delivery · alerting DDCW AWS root account activity (any action) Internal delivery · alerting DDCW Azure AD brute-force login Internal delivery · alerting DD Datadog suspicious login Internal delivery · alerting DD GitHub PAT used from impossible-travel locations Internal delivery · alerting DD Google Workspace service account modifying group membership Internal install · alerting DD [WEEKLY] Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Internal actions · alerting DSPDD [WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Internal exploit · alerting DSPDDCW [WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD Okta Authentication Failed During MFA Challenge ESCU actions · alerting P Okta Successful Single Factor Authentication ESCU actions · hunting P Okta ThreatInsight Threat Detected ESCU actions · hunting P ASL AWS Create Policy Version to allow all resources ESCU actions · alerting P AWS Create Policy Version to allow all resources ESCU actions · alerting P AWS SetDefaultPolicyVersion ESCU actions · alerting P AWS Successful Single-Factor Authentication ESCU actions · alerting P Azure AD Authentication Failed During MFA Challenge ESCU actions · alerting P Azure AD Multiple Failed MFA Requests For User ESCU actions · alerting P Azure AD Service Principal Authentication ESCU actions · alerting P Azure AD Successful PowerShell Authentication ESCU actions · alerting P Azure AD Successful Single-Factor Authentication ESCU actions · alerting P Azure Runbook Webhook Created ESCU actions · alerting P Cloud Compute Instance Created By Previously Unseen User ESCU actions · hunting P Cloud Instance Modified By Previously Unseen User ESCU actions · hunting P GCP Authentication Failed During MFA Challenge ESCU actions · alerting P GCP Multiple Failed MFA Requests For User ESCU actions · alerting P GCP Successful Single-Factor Authentication ESCU actions · alerting P O365 Security And Compliance Alert Triggered ESCU actions · alerting P Windows Entra User Management Via Azure CLI ESCU actions · hunting P Abnormally High AWS Instances Launched by User ESCU actions · hunting P Abnormally High AWS Instances Launched by User - MLTK ESCU actions · hunting P Abnormally High AWS Instances Terminated by User ESCU actions · hunting P Abnormally High AWS Instances Terminated by User - MLTK ESCU actions · hunting P Abnormally High Number Of Cloud Infrastructure API Calls ESCU actions · hunting P Abnormally High Number Of Cloud Instances Destroyed ESCU actions · hunting P Abnormally High Number Of Cloud Instances Launched ESCU actions · hunting P Abnormally High Number Of Cloud Security Group API Calls ESCU actions · hunting P Detect AWS API Activities From Unapproved Accounts ESCU actions · hunting P Detect new API calls from user roles ESCU actions · hunting P Detect new user AWS Console Login ESCU actions · hunting P Detect Spike in AWS API Activity ESCU actions · hunting P Detect Spike in Security Group Activity ESCU actions · hunting P EC2 Instance Modified With Previously Unseen User ESCU actions · hunting P EC2 Instance Started With Previously Unseen User ESCU actions · hunting P [LLM] OAuth consent grant to unfamiliar third-party AI / SaaS app — Vercel-style trust chain attack Bespoke delivery · hunting DSΣDD [LLM] First-seen device/user authenticating to Tchap (tchap.gouv.fr) matrix endpoint Bespoke delivery · hunting DSPDDCS [LLM] Suspicious commit pattern: '[skip ci]' with backdated timestamp adding only IDE config files Bespoke delivery · hunting DSPDD [LLM] M365 / Entra sign-ins sourced from BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCS [LLM] Claude Code Read tool steered to cloud-credential files on GitHub Actions runner Bespoke exploit · alerting DSΣPDDCS [LLM] Enterprise Gateway service account creates privileged / hostPath / RBAC-escalating pod (CVE-2026-44181 post-exploit) Bespoke actions · alerting SΣPDDCW [LLM] Lateral movement via aws ssm send-command or kubectl exec spawned by python/node Bespoke actions · alerting DSΣPDDCSCW [LLM] AWS IMDS (169.254.169.254) Hit from Developer / Non-EC2 Endpoint (Nx Console Credential Theft) Bespoke actions · hunting DSPDDCS [LLM] praisonai-platform: POST /workspaces/*/members with role=owner (CVE-2026-47413) Bespoke exploit · hunting DSΣPDD [LLM] AWS IAM role trust policy created with set-qualified operator on GitHub OIDC sub claim Bespoke install · alerting ΣPDD [LLM] AssumeRoleWithWebIdentity from GitHub OIDC with unexpected repo/branch sub claim Bespoke exploit · hunting PDD [LLM] AWS SSM SendCommand Fan-out from EC2 Instance Role (TeamPCP Worm Propagation) Bespoke actions · hunting PDD [LLM] Mini Shai-Hulud dead-drop git commit authored as claude@users.noreply.github.com Bespoke actions · alerting DSΣPDDCS [LLM] Shai-Hulud preinstall: node/npm spawning git/curl/gh pushing to attacker repo or GitHub API Bespoke actions · hunting DSPDDCS [LLM] Kubernetes privileged-pod DaemonSet fan-out from compromised LiteLLM workload Bespoke actions · hunting SPDD [LLM] ServiceNow Virtual Agent Invocation of Hidden AIA-Agent Invoker AutoChat Topic (CVE-2025-12420) Bespoke exploit · alerting DSPDDCS [LLM] Sha1-Hulud self-hosted GitHub Actions runner deployed under ~/.dev-env (SHA1HULUD) Bespoke install · alerting DSΣPDDCS [LLM] Bun/Node initiating multi-cloud secret-manager enumeration burst (Sha1-Hulud aL0 harvest) Bespoke actions · alerting DSPDDCS [LLM] Cloud metadata service (IMDS) access from npm / node child process Bespoke actions · alerting DSPDDCS

Articles citing this technique (18)

crit Early Warning Signs of Supply-Chain Attacks Live in the Dark Web art-27

med Over 73,000 French govt employees affected in Tchap messenger breach art-35

crit Miasma Worm Hits Microsoft Again: Azure Functions Action and 72 Other Repositories Disabled After Supply Chain Attack Targeting AI Coding Ag art-79

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107

high Securing CI/CD in an agentic world: Claude Code Github action case art-117

crit [GHSA / CRITICAL] CVE-2026-44181: Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execut art-134

high Why EDR and proxy won’t save you from supply chain malware art-142

high Nx Console VS Code Extension Compromised art-146

crit [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members art-155

crit [GHSA / CRITICAL] GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators art-226

crit Webworm: New burrowing techniques art-240

crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised art-248

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages art-312

high Securing Vibe Coding and AI Coding Agents: An End-to-End Approach with StepSecurity art-395

high You Patched LiteLLM, But Do You Know Your AI Blast Radius? art-414

high ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations art-624

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653

high SHA1-Hulud, npm supply chain incident art-686