T1098.003

Additional Cloud Roles

Persistence Privilege Escalation

An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings, including the ability to reset the passwords of other admins. This account modification may immediately follow account creation or other malicious account activity. Adversaries may also modify existing valid accounts that they have compromised, potentially leading to privilege escalation and lateral movement to additional accounts. In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant, allowing external accounts to perform actions inside the victim tenant. Threat groups such as Scattered Spider, LAPSUS$, and Storm-0501 have used this technique to gain persistent administrative access to cloud environments.

Microsoft Sentinel / Defender
kusto 
// T1098.003 - Additional Cloud Roles Detection
// Covers Azure AD / Entra ID, Azure RBAC, and Office 365 role assignments
let HighPrivilegeRoles = dynamic([
  "Global Administrator", "Company Administrator",
  "Privileged Role Administrator", "Security Administrator",
  "Exchange Administrator", "SharePoint Administrator",
  "Hybrid Identity Administrator", "Application Administrator",
  "Cloud Application Administrator", "Authentication Administrator",
  "User Access Administrator", "Owner", "Contributor",
  "Privileged Authentication Administrator"
]);
let SensitiveOperations = dynamic([
  "Add member to role",
  "Add eligible member to role",
  "Add member to role in PIM requested",
  "Add member to role completed (PIM activation)",
  "Assign directory role to user",
  "Microsoft.Authorization/roleAssignments/write",
  "Microsoft.Authorization/elevateAccess/action"
]);
union
(
  // Azure AD / Entra ID role assignments via AuditLogs
  AuditLogs
  | where TimeGenerated > ago(24h)
  | where OperationName has_any (SensitiveOperations)
  | extend TargetUser = tostring(TargetResources[0].userPrincipalName)
  | extend TargetObjectId = tostring(TargetResources[0].id)
  | extend RoleName = tostring(TargetResources[0].modifiedProperties[0].newValue)
  | extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
  | extend InitiatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
  | extend IsHighPrivilege = RoleName has_any (HighPrivilegeRoles)
  | project
      TimeGenerated,
      OperationName,
      TargetUser,
      TargetObjectId,
      RoleName,
      InitiatedByUser,
      InitiatedByApp,
      InitiatedByIPAddress,
      IsHighPrivilege,
      Result,
      CorrelationId,
      Category,
      Source = "AuditLogs"
),
(
  // Azure Activity Log - RBAC role assignments at subscription/resource level
  AzureActivity
  | where TimeGenerated > ago(24h)
  | where OperationNameValue in~ (
      "Microsoft.Authorization/roleAssignments/write",
      "Microsoft.Authorization/elevateAccess/action",
      "Microsoft.Authorization/roleDefinitions/write"
  )
  | where ActivityStatusValue == "Success"
  | extend InitiatedByUser = tostring(Caller)
  | extend TargetResource = ResourceId
  | extend SubscriptionId = tostring(SubscriptionId)
  | project
      TimeGenerated,
      OperationNameValue,
      InitiatedByUser,
      TargetResource,
      SubscriptionId,
      ResourceGroup,
      CallerIpAddress,
      ActivityStatusValue,
      Source = "AzureActivity"
)
| sort by TimeGenerated desc
high severity high confidence

Data Sources

Cloud Service: Cloud Service Modification User Account: User Account Modification Azure Active Directory: Audit Logs Azure Activity Logs

Required Tables

AuditLogs AzureActivity

False Positives

  • Legitimate IT administrators assigning roles as part of onboarding new employees or service accounts during approved change windows
  • Privileged Identity Management (PIM) activations by authorized users performing time-bound role elevations for maintenance tasks
  • Automated infrastructure provisioning pipelines (Terraform, Bicep, ARM templates) that assign roles as part of resource deployment
  • Help desk or identity governance processes granting temporary access to resolve user issues under a ticketed change request
  • Azure AD Connect or other hybrid identity synchronization services that periodically update role memberships
Last updated: 2026-04-13 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1098.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.004SSH Authorized KeysT1098.005Device RegistrationT1098.006Additional Container Cluster RolesT1098.007Additional Local or Domain Groups

Same Tactic: Persistence

Popular Detections