T1136.003

Cloud Account

Adversaries may create cloud accounts to maintain access to victim systems. Cloud accounts include user accounts, service principals, managed identities (Azure), IAM users and roles (AWS), and service accounts (GCP). With sufficient access, adversaries create secondary credentialed accounts that do not require persistent remote access tools. Known actors include APT29 (creating Azure AD users), LAPSUS$ (creating global admin accounts in victim cloud tenants), and the AADInternals toolkit. Cloud accounts can be scoped to specific services to reduce detection surface and are often followed by credential additions or role escalation for persistence.

Microsoft Sentinel / Defender

kusto

// Branch 1: Azure AD / Entra ID — New user or service principal creation
let AzureADAccountCreation = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("Add user", "Add service principal", "Add application", "Add service principal credentials")
| where Result == "success"
| extend TargetObjectId     = tostring(TargetResources[0].id)
| extend TargetDisplayName  = tostring(TargetResources[0].displayName)
| extend TargetUPN          = tostring(TargetResources[0].userPrincipalName)
| extend TargetType         = tostring(TargetResources[0].type)
| extend InitiatorUPN       = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorApp       = tostring(InitiatedBy.app.displayName)
| extend InitiatorIP        = tostring(InitiatedBy.user.ipAddress)
| extend Category           = tostring(Category)
| extend IsServicePrincipal = OperationName has_any ("service principal", "application")
| project TimeGenerated, OperationName, TargetDisplayName, TargetUPN, TargetType,
          InitiatorUPN, InitiatorApp, InitiatorIP, IsServicePrincipal, Category, CorrelationId;
// Branch 2: AWS CloudTrail — IAM user or role creation
let AWSIAMCreation = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName in ("CreateUser", "CreateRole", "CreateServiceLinkedRole", "CreateVirtualMFADevice")
| where ErrorCode == ""
| extend ActorArn      = UserIdentityArn
| extend ActorType     = UserIdentityType
| extend ActorUserName = UserIdentityUserName
| extend SourceIP      = SourceIpAddress
| extend TargetUser    = tostring(parse_json(RequestParameters).userName)
| extend TargetRole    = tostring(parse_json(RequestParameters).roleName)
| extend TargetName    = coalesce(TargetUser, TargetRole)
| project TimeGenerated, EventName, TargetName, ActorArn, ActorType, ActorUserName, SourceIP, AWSRegion, RecipientAccountId;
// Branch 3: Office 365 — New user added by admin
let O365UserCreation = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("Add user.", "New-MsolUser", "New-AzureADUser")
| extend ActorUPN   = UserId
| extend TargetUPN  = ObjectId
| extend IPAddress  = ClientIP
| project TimeGenerated, Operation, ActorUPN, TargetUPN, IPAddress, OfficeWorkload, OrganizationId;
// Combine and surface for review
union
  (AzureADAccountCreation | extend Source="AzureAD", Actor=coalesce(InitiatorUPN, InitiatorApp), Target=coalesce(TargetUPN, TargetDisplayName), IPAddress=InitiatorIP),
  (AWSIAMCreation         | extend Source="AWS",     Actor=ActorUserName,                       Target=TargetName,                                     IPAddress=SourceIP),
  (O365UserCreation       | extend Source="O365",    Actor=ActorUPN,                            Target=TargetUPN,                                      IPAddress=IPAddress)
| project TimeGenerated, Source, OperationName=coalesce(OperationName, EventName, Operation), Actor, Target, IPAddress
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Cloud Service: Cloud Account Azure Active Directory Audit Logs AWS CloudTrail Office 365 Audit Logs

Required Tables

AuditLogs AWSCloudTrail OfficeActivity

False Positives

IT helpdesk and identity administrators creating legitimate new employee accounts during onboarding
DevOps pipelines creating service principals or managed identities for application deployments
HR-driven automated provisioning systems (Workday, ServiceNow) that create cloud accounts on hire
Break-glass account creation during incident response or disaster recovery testing
Security teams running purple team exercises or authorized AADInternals testing

Splunk

spl

| union
    [search index=azure sourcetype="azure:monitor:aad:audit"
     (operationName="Add user" OR operationName="Add service principal" OR operationName="Add application" OR operationName="Add service principal credentials")
     result="success"
    | eval Source="AzureAD"
    | eval Actor=coalesce('initiatedBy.user.userPrincipalName', 'initiatedBy.app.displayName')
    | eval Target=coalesce('targetResources{}.userPrincipalName', 'targetResources{}.displayName')
    | eval IPAddress='initiatedBy.user.ipAddress'
    | eval IsServiceAccount=if(match(operationName, "service principal|application"), 1, 0)
    | table _time, Source, operationName, Actor, Target, IPAddress, IsServiceAccount, correlationId],
    [search index=aws sourcetype="aws:cloudtrail"
     (eventName="CreateUser" OR eventName="CreateRole" OR eventName="CreateServiceLinkedRole" OR eventName="CreateVirtualMFADevice")
     NOT errorCode=*
    | eval Source="AWS"
    | eval Actor=coalesce(userIdentity.userName, userIdentity.arn)
    | eval Target=coalesce('requestParameters.userName', 'requestParameters.roleName')
    | eval IPAddress=sourceIPAddress
    | eval IsServiceAccount=if(match(eventName, "Role|ServiceLinked"), 1, 0)
    | table _time, Source, eventName as operationName, Actor, Target, IPAddress, IsServiceAccount, awsRegion],
    [search index=o365 sourcetype="o365:management:activity"
     (Operation="Add user." OR Operation="New-MsolUser" OR Operation="New-AzureADUser")
    | eval Source="O365"
    | eval Actor=UserId
    | eval Target=ObjectId
    | eval IPAddress=ClientIP
    | eval IsServiceAccount=0
    | table _time, Source, Operation as operationName, Actor, Target, IPAddress, IsServiceAccount]
| eval SuspicionScore=0
| eval SuspicionScore=SuspicionScore + if(IsServiceAccount=1, 1, 0)
| eval SuspicionScore=SuspicionScore + if(match(IPAddress, "^(tor|vpn|proxy)") OR isnull(IPAddress) OR IPAddress="", 1, 0)
| eval SuspicionScore=SuspicionScore + if(match(lower(Target), "(admin|root|svc_|service_|test|tmp|temp)"), 1, 0)
| eval SuspicionScore=SuspicionScore + if(Actor="unknown" OR isnull(Actor), 2, 0)
| table _time, Source, operationName, Actor, Target, IPAddress, IsServiceAccount, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Cloud Service: Cloud Account Azure AD Audit Logs AWS CloudTrail Office 365 Management Activity

Required Sourcetypes

azure:monitor:aad:audit aws:cloudtrail o365:management:activity

False Positives

IT helpdesk and identity administrators creating legitimate new employee accounts during onboarding
DevOps pipelines creating service principals or managed identities for CI/CD deployments
HR-driven automated provisioning systems creating accounts on new hire events
Break-glass or emergency access account creation with documented justification
Authorized red team exercises using AADInternals or similar tooling

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS actor,
  "Account Name" AS target_account,
  sourceip AS source_ip,
  CASE
    WHEN LOWER(QIDNAME(qid)) LIKE '%createuser%' OR LOWER(QIDNAME(qid)) LIKE '%createrole%' THEN 'AWS'
    WHEN LOWER(QIDNAME(qid)) LIKE '%add user%' OR LOWER(QIDNAME(qid)) LIKE '%add service principal%' THEN 'AzureAD'
    WHEN LOWER(QIDNAME(qid)) LIKE '%new-msoluser%' OR LOWER(QIDNAME(qid)) LIKE '%add user.%' THEN 'O365'
    ELSE 'Unknown'
  END AS cloud_platform,
  CASE
    WHEN LOWER(QIDNAME(qid)) LIKE '%service principal%' OR LOWER(QIDNAME(qid)) LIKE '%role%' OR LOWER(QIDNAME(qid)) LIKE '%application%' THEN 1
    ELSE 0
  END AS is_service_account
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM SDE_LogSourceType WHERE name LIKE '%Azure%' OR name LIKE '%AWS%' OR name LIKE '%Office 365%' OR name LIKE '%Microsoft 365%'
  )
  AND (
    QIDNAME(qid) ILIKE '%Add user%'
    OR QIDNAME(qid) ILIKE '%Add service principal%'
    OR QIDNAME(qid) ILIKE '%Add application%'
    OR QIDNAME(qid) ILIKE '%Add service principal credentials%'
    OR QIDNAME(qid) ILIKE '%CreateUser%'
    OR QIDNAME(qid) ILIKE '%CreateRole%'
    OR QIDNAME(qid) ILIKE '%CreateServiceLinkedRole%'
    OR QIDNAME(qid) ILIKE '%CreateVirtualMFADevice%'
    OR QIDNAME(qid) ILIKE '%New-MsolUser%'
    OR QIDNAME(qid) ILIKE '%New-AzureADUser%'
  )
  AND magnitude >= 3
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Azure Active Directory Audit Logs AWS CloudTrail via QRadar DSM Microsoft Office 365 Activity Logs

Required Tables

events

False Positives

Automated provisioning systems (Ansible, Puppet, Terraform) that run account creation as part of scheduled infrastructure management tasks
HR system integrations that sync new employee records into cloud directories on hire date, triggering bulk account creation events
Break-glass or emergency access procedures where security or IT ops create temporary privileged accounts during incident response

Sumo Logic CSE

sql

(_sourceCategory="azure/audit" OR _sourceCategory="aws/cloudtrail" OR _sourceCategory="o365/audit")
| json auto
| where (
    (operationName in ("Add user", "Add service principal", "Add application", "Add service principal credentials") and result = "success")
    OR (eventName in ("CreateUser", "CreateRole", "CreateServiceLinkedRole", "CreateVirtualMFADevice") and !(errorCode matches "*"))
    OR (Operation in ("Add user.", "New-MsolUser", "New-AzureADUser"))
  )
| if (_sourceCategory matches "azure*", "AzureAD",
    if (_sourceCategory matches "aws*", "AWS",
    if (_sourceCategory matches "o365*", "O365", "Unknown"))) as cloud_platform
| if (operationName matches "*service principal*" or operationName matches "*application*" or eventName matches "*Role*", 1, 0) as is_service_account
| if (cloud_platform = "AzureAD",
      coalesce(%"initiatedBy.user.userPrincipalName", %"initiatedBy.app.displayName"),
    if (cloud_platform = "AWS",
      coalesce(%"userIdentity.userName", %"userIdentity.arn"),
      UserId)) as actor
| if (cloud_platform = "AzureAD",
      coalesce(%"targetResources[0].userPrincipalName", %"targetResources[0].displayName"),
    if (cloud_platform = "AWS",
      coalesce(%"requestParameters.userName", %"requestParameters.roleName"),
      ObjectId)) as target_account
| if (cloud_platform = "AzureAD", %"initiatedBy.user.ipAddress",
    if (cloud_platform = "AWS", sourceIPAddress, ClientIP)) as source_ip
| eval suspicion_score = 0
| eval suspicion_score = suspicion_score + if (is_service_account = 1, 1, 0)
| eval suspicion_score = suspicion_score + if (isNull(source_ip) or source_ip = "", 1, 0)
| eval suspicion_score = suspicion_score + if (actor matches "unknown" or isNull(actor), 2, 0)
| eval suspicion_score = suspicion_score + if (target_account matches "*admin*" or target_account matches "*svc_*" or target_account matches "*service*" or target_account matches "*test*" or target_account matches "*tmp*", 1, 0)
| fields _messagetime, cloud_platform, operationName, eventName, Operation, actor, target_account, source_ip, is_service_account, suspicion_score
| sort by _messagetime desc

high severity medium confidence

Data Sources

Azure Monitor Audit Logs (Sumo Logic Azure source) AWS CloudTrail (Sumo Logic S3 source or HTTP source) Office 365 Management Activity API (Sumo Logic O365 source)

Required Tables

_sourceCategory=azure/audit _sourceCategory=aws/cloudtrail _sourceCategory=o365/audit

False Positives

Service account creation by DevOps teams deploying new microservices that require dedicated cloud identities for least-privilege access
Automated cloud governance tools periodically creating sandbox or ephemeral IAM roles for developer environments on a scheduled basis
Identity federation sync jobs (Azure AD Connect, AWS SSO sync) that replicate on-premises accounts to cloud directories and appear as new account creation events

Google Chronicle / SecOps

yaral

rule t1136_003_cloud_account_creation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects cloud account creation across Azure AD, AWS IAM, and GCP IAM. Covers user accounts, service principals, IAM users, roles, and service accounts used by adversaries for persistent cloud access."
    mitre_attack_technique = "T1136.003"
    mitre_attack_tactic = "Persistence"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1136/003/"

  events:
    (
      $e.metadata.event_type = "USER_CREATION"
      or $e.metadata.event_type = "SERVICE_ACCOUNT_CREATION"
      or (
        $e.metadata.product_name = "Microsoft Azure"
        and $e.metadata.product_event_type in (
          "Add user",
          "Add service principal",
          "Add application",
          "Add service principal credentials"
        )
        and $e.security_result.action = "ALLOW"
      )
      or (
        $e.metadata.product_name = "Amazon Web Services"
        and $e.metadata.product_event_type in (
          "CreateUser",
          "CreateRole",
          "CreateServiceLinkedRole",
          "CreateVirtualMFADevice"
        )
        and not $e.security_result.action = "BLOCK"
      )
      or (
        $e.metadata.product_name = "Google Cloud Platform"
        and $e.metadata.product_event_type in (
          "google.iam.admin.v1.CreateServiceAccount",
          "google.iam.v1.IAMPolicy.SetIamPolicy",
          "CreateServiceAccountKey"
        )
      )
      or (
        $e.metadata.product_name = "Microsoft Office 365"
        and $e.metadata.product_event_type in (
          "Add user.",
          "New-MsolUser",
          "New-AzureADUser"
        )
      )
    )
    $e.principal.user.userid != ""

  condition:
    $e
}

high severity medium confidence

Data Sources

Azure Active Directory Audit Logs (via Chronicle Azure ingestion) AWS CloudTrail (via Chronicle AWS ingestion) GCP Cloud Audit Logs (via Chronicle GCP ingestion) Microsoft Office 365 Audit Logs (via Chronicle O365 ingestion)

Required Tables

UDM events with metadata.event_type USER_CREATION or SERVICE_ACCOUNT_CREATION

False Positives

Legitimate cloud administrator creating new user accounts during employee onboarding or contractor access provisioning through standard HR workflows
Infrastructure-as-Code pipelines (Terraform, Pulumi, CDK) creating service accounts and IAM roles as part of automated environment deployment
Cloud Access Security Broker (CASB) or identity governance platform performing account lifecycle management, including provisioning accounts from an authoritative HR source

CrowdStrike LogScale (CQL)

cql

// CrowdStrike Falcon LogScale — Cloud Account Creation (T1136.003)
// Covers Azure AD, AWS IAM, and O365 audit events ingested via Falcon Horizon or third-party log connectors

#event_simpleName = "CloudAuditEvent"
| in(field="OperationName", values=["Add user", "Add service principal", "Add application", "Add service principal credentials", "CreateUser", "CreateRole", "CreateServiceLinkedRole", "CreateVirtualMFADevice", "Add user.", "New-MsolUser", "New-AzureADUser", "google.iam.admin.v1.CreateServiceAccount", "CreateServiceAccountKey"])
| SourceResultStatus != "Failed"
| SourceResultStatus != "Failure"
| case {
    OperationName = "Add user" OR OperationName = "Add service principal" OR OperationName = "Add application" OR OperationName = "Add service principal credentials" | CloudPlatform := "AzureAD" ;
    OperationName = "CreateUser" OR OperationName = "CreateRole" OR OperationName = "CreateServiceLinkedRole" OR OperationName = "CreateVirtualMFADevice" | CloudPlatform := "AWS" ;
    OperationName = "Add user." OR OperationName = "New-MsolUser" OR OperationName = "New-AzureADUser" | CloudPlatform := "O365" ;
    OperationName = "google.iam.admin.v1.CreateServiceAccount" OR OperationName = "CreateServiceAccountKey" | CloudPlatform := "GCP" ;
    * | CloudPlatform := "Unknown"
  }
| IsServiceAccount := if(OperationName matches "service principal|application|Role|ServiceLinked|ServiceAccount", then="true", else="false")
| SuspicionScore := 0
| SuspicionScore := SuspicionScore + if(IsServiceAccount = "true", then=1, else=0)
| SuspicionScore := SuspicionScore + if(ActorIPAddress = "" OR ActorIPAddress = null, then=1, else=0)
| SuspicionScore := SuspicionScore + if(ActorUserPrincipalName = "unknown" OR ActorUserPrincipalName = null, then=2, else=0)
| SuspicionScore := SuspicionScore + if(TargetAccountName matches "(?i)(admin|root|svc_|service_|test|tmp|temp)", then=1, else=0)
| table([timestamp, CloudPlatform, OperationName, ActorUserPrincipalName, TargetAccountName, ActorIPAddress, IsServiceAccount, SuspicionScore])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security Posture Management) Azure AD Audit Logs (via Falcon LogScale connector or Filebeat) AWS CloudTrail (via Falcon LogScale S3 connector) Office 365 Audit Logs (via Microsoft Graph ingestion to LogScale)

Required Tables

CloudAuditEvent (Falcon Horizon or mapped cloud audit log events)

False Positives

Cloud infrastructure teams running Terraform or Ansible playbooks that provision IAM roles, service principals, or GCP service accounts as part of routine environment builds or updates
Identity management platforms (e.g., Okta Workflows, Azure AD Lifecycle Workflows) automatically creating cloud accounts when new employee records are created in the HR system of record
Security red team or penetration testing exercises where authorized testers create cloud accounts as part of an approved attack simulation scoped to the production or staging cloud environment

Last updated: 2026-04-18 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1136.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Cloud Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections