Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1136.003

T1136.003Cloud Account

T1136.003 — Cloud Account is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 24 detection use cases covering it and 2 threat-intel articles citing it.

Persistence
View on the matrix → Filter Detection Library MITRE official spec ↗
24Use cases
2Articles
0Sub-techniques
1Tactic
↑ Parent technique: T1136 · Create Account

Use cases covering this technique (24)

AWS access key created (programmatic credential) Internal actions · alerting DDCW GCP service-account key created Internal actions · alerting DD ASL AWS Create Access Key ESCU actions · hunting P ASL AWS UpdateLoginProfile ESCU actions · alerting P AWS CreateAccessKey ESCU actions · hunting P AWS CreateLoginProfile ESCU actions · alerting P AWS UpdateLoginProfile ESCU actions · alerting P Azure AD External Guest User Invited ESCU actions · alerting P Azure AD Multiple Service Principals Created by SP ESCU actions · hunting P Azure AD Multiple Service Principals Created by User ESCU actions · hunting P Azure AD Service Principal Created ESCU actions · alerting P Azure Automation Account Created ESCU actions · alerting P Azure Automation Runbook Created ESCU actions · alerting P O365 Add App Role Assignment Grant User ESCU actions · alerting P O365 Added Service Principal ESCU actions · alerting P O365 External Guest User Invited ESCU actions · alerting P O365 External Identity Policy Changed ESCU actions · alerting P O365 Multiple Service Principals Created by SP ESCU actions · hunting P O365 Multiple Service Principals Created by User ESCU actions · hunting P O365 New Federated Domain Added ESCU actions · alerting P O365 SharePoint Allowed Domains Policy Changed ESCU actions · alerting P Windows Azure PowerShell Module Installation Via PowerShell Script ESCU actions · hunting P [LLM] praisonai-platform CVE-2026-47416: Member self-promotion + legitimate-owner demotion chain within one hour Bespoke install · hunting SPDD [LLM] ServiceNow Virtual Agent Invocation of Hidden AIA-Agent Invoker AutoChat Topic (CVE-2025-12420) Bespoke exploit · alerting DSPDDCS

Articles citing this technique (2)

crit [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{ art-162
high ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations art-624