Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1098.003

T1098.003Additional Cloud Roles

T1098.003 — Additional Cloud Roles is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 22 detection use cases covering it and 1 threat-intel article citing it.

PersistencePrivilege Escalation
View on the matrix → Filter Detection Library MITRE official spec ↗
22Use cases
1Articles
0Sub-techniques
2Tactics
↑ Parent technique: T1098 · Account Manipulation

Use cases covering this technique (22)

AWS IAM policy created / updated / version changed Internal install · alerting DDCW Google Workspace admin role assigned to user Internal install · alerting DD Azure AD Admin Consent Bypassed by Service Principal ESCU actions · alerting P Azure AD Application Administrator Role Assigned ESCU actions · alerting P Azure AD FullAccessAsApp Permission Assigned ESCU actions · alerting P Azure AD Global Administrator Role Assigned ESCU actions · alerting P Azure AD PIM Role Assigned ESCU actions · alerting P Azure AD PIM Role Assignment Activated ESCU actions · alerting P Azure AD Privileged Role Assigned ESCU actions · alerting P Azure AD Privileged Role Assigned to Service Principal ESCU actions · alerting P Azure AD Service Principal Privilege Escalation ESCU actions · alerting P Azure AD Tenant Wide Admin Consent Granted ESCU actions · alerting P O365 Admin Consent Bypassed by Service Principal ESCU actions · alerting P O365 Application Available To Other Tenants ESCU actions · alerting P O365 FullAccessAsApp Permission Assigned ESCU actions · alerting P O365 High Privilege Role Granted ESCU actions · alerting P O365 Mailbox Read Access Granted to Application ESCU actions · alerting P O365 Privileged Role Assigned ESCU actions · alerting P O365 Privileged Role Assigned To Service Principal ESCU actions · alerting P O365 Service Principal Privilege Escalation ESCU actions · alerting P O365 Tenant Wide Admin Consent Granted ESCU actions · alerting P [LLM] AWS IAM role trust policy created with set-qualified operator on GitHub OIDC sub claim Bespoke install · alerting ΣPDD

Articles citing this technique (1)

crit [GHSA / CRITICAL] GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators art-226