T1098.001Additional Cloud Credentials
T1098.001 — Additional Cloud Credentials is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 8 detection use cases covering it and 79 threat-intel articles citing it.
PersistencePrivilege Escalation
8Use cases
79Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1098 · Account Manipulation
Use cases covering this technique (8)
OAuth consent / suspicious app grant [WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Azure AD Service Principal New Client Credentials O365 Service Principal New Client Credentials [LLM] Budibase: API key minted via /api/global/self/api_key then /api/public/v1/roles/assign within 5m [LLM] nebula-mesh CVE-2026-47724 — cross-tenant host identity hijack via /hosts/{id}/reenroll → /enroll chain [LLM] Shadow Credentials: msDS-KeyCredentialLink attribute modificationArticles citing this technique (79)
crit ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities art-37
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
high Miasma supply chain attack: malicious code found in @redhat-cloud-services npm packages art-159
crit The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised art-248
high Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again! art-254
high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages art-348
high Malicious Release of elementary-data PyPI Package Steals Cloud Credentials from Data Engineers art-352