T1078.004 CrowdStrike LogScale · LogScale

Detect Cloud Accounts in CrowdStrike LogScale

Valid cloud accounts may be leveraged by adversaries to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion in cloud environments. Adversaries may obtain cloud credentials through phishing, brute force, credential theft from endpoints, or by compromising on-premises identity infrastructure federated with cloud services. Once in possession of valid credentials, adversaries can authenticate to cloud management planes (Azure, AWS, GCP), SaaS applications (Microsoft 365, Google Workspace), or identity providers (Entra ID, Okta) and operate as legitimate users. Techniques include abusing service principals, managed identities, OAuth tokens, and API keys to maintain persistence and move laterally across cloud resources.

MITRE ATT&CK

Tactic
Defense Evasion Persistence Privilege Escalation Initial Access
Technique
T1078 Valid Accounts
Sub-technique
T1078.004 Cloud Accounts
Canonical reference
https://attack.mitre.org/techniques/T1078/004/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike Falcon Identity Protection - Cloud Account Suspicious Sign-in
// Targets Azure AD / Entra ID events ingested via Falcon Identity connector
#event_simpleName = /IdpSso|SsoApplicationAccess|CloudAccountLogin|OAuthTokenCreated/i
| TargetUserName != ""
| ResultCode = "0" OR AuthStatus = /success/i
| isLegacyAuth := regex("(?i)(imap|pop3|smtp auth|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)", field=ClientAppUsed, strict=false)
| isSuspiciousCountry := CountryCode in ["KP", "IR", "RU", "CN", "BY"]
| isHighRisk := RiskLevel in ["high", "medium"]
| isMFABypassed := AuthenticationRequirement = "singleFactorAuthentication" AND ConditionalAccessStatus != "notApplied"
| isLegacyAuth = true OR isSuspiciousCountry = true OR isHighRisk = true OR isMFABypassed = true
| riskScore := if(isLegacyAuth, 1, 0) + if(isSuspiciousCountry, 1, 0) + if(isHighRisk, 1, 0) + if(isMFABypassed, 1, 0)
| riskFactors := format("%s%s%s%s",
    if(isLegacyAuth, "LegacyAuth ", ""),
    if(isSuspiciousCountry, format("SuspiciousCountry:%s ", CountryCode), ""),
    if(isHighRisk, format("HighRisk:%s ", RiskLevel), ""),
    if(isMFABypassed, "MFABypassed", "")
  )
| table([_time, TargetUserName, SourceIPAddress, CountryCode, ClientAppUsed, RiskLevel, AuthenticationRequirement, ConditionalAccessStatus, riskScore, riskFactors])
| sort(field=_time, order=desc)
high severity low confidence

CrowdStrike LogScale CQL query for Falcon Identity Protection events targeting cloud account sign-in anomalies. Matches Falcon Identity Connector events from Azure AD / Entra ID ingested via CrowdStrike's identity telemetry pipeline. Detects legacy auth protocol fingerprints, high-risk country logins, elevated risk-level classifications from the identity provider, and MFA bypass patterns. Field names (TargetUserName, CountryCode, ClientAppUsed, RiskLevel, AuthenticationRequirement, ConditionalAccessStatus) reflect the Falcon Identity Protection Azure AD event schema — adjust to match your specific FDR field mappings and parser configuration, as these vary by tenant and connector version.

Data Sources

CrowdStrike Falcon Identity ProtectionFalcon Data Replicator (FDR) Azure AD connector events

Required Tables

#event_simpleName: IdpSso, SsoApplicationAccess, CloudAccountLogin, OAuthTokenCreated

False Positives & Tuning

  • IAM team test accounts used for Entra ID conditional access policy validation and Falcon Identity connector health checks that intentionally trigger sign-in anomalies
  • Cloud workloads using managed identities or service principals that acquire tokens via single-factor flows as part of the approved application architecture with no MFA requirement by design
  • Users whose identity risk score elevates due to shared corporate egress IP reputation changes affecting many users simultaneously, causing bulk false positive alerts
Download portable Sigma rule (.yml)

Other platforms for T1078.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure CLI Authentication with Compromised Credentials

    Expected signal: Entra ID SigninLogs: successful interactive sign-in with AppDisplayName='Microsoft Azure CLI', DeviceDetail showing unregistered device, IPAddress of test machine. AuditLogs may show directory read operations. Risk signals may trigger if this is a new location or device for the account.

  2. Test 2Service Principal Authentication and Enumeration

    Expected signal: AADServicePrincipalSignInLogs: service principal authentication event with IPAddress, ResourceDisplayName, and AppId. AuditLogs: directory read operations. If run from a new IP, this will appear as an anomalous source for the service principal.

  3. Test 3Legacy Authentication Simulation via SMTP Basic Auth

    Expected signal: Entra ID SigninLogs: sign-in attempt with ClientAppUsed='Authenticated SMTP' or 'SMTP Auth', Protocol='SMTP', IsInteractive=false. The sign-in will be flagged as legacy authentication. If successful, ResultType=0; if legacy auth is blocked by CA policy, ResultType will reflect the block.

  4. Test 4Impossible Travel Simulation via Azure Resource Manager API

    Expected signal: Two sign-in events in SigninLogs from different IP addresses and geolocations for the same account within a short time window. Entra ID Identity Protection may generate an 'Impossible travel' or 'Unfamiliar sign-in properties' risk detection (AADUserRiskEvents). The second sign-in will have a different CountryOrRegion in LocationDetails.

  5. Test 5Add Credentials to Existing Service Principal (Persistence)

    Expected signal: AuditLogs: OperationName='Add service principal credentials' or 'Update application – Certificates and secrets management' with the initiating user's UPN, source IP, and target service principal name and ID. This is the exact pattern hunted by the Service Principal Credential Addition hunting query.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1078.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1078Valid Accounts

Related Sub-techniques

T1078.001Default AccountsT1078.002Domain AccountsT1078.003Local Accounts

Related Techniques

T1078Valid AccountsT1110Brute ForceT1110.003Password SprayingT1566PhishingT1566.002Spearphishing LinkT1098.001Additional Cloud CredentialsT1528Steal Application Access TokenT1548.005Temporary Elevated Cloud AccessT1021Remote ServicesT1530Data from Cloud StorageT1059.009Cloud API

Same Tactic: Defense Evasion

Popular Detections