Detect Cloud Account in Microsoft Sentinel
Adversaries may create cloud accounts to maintain access to victim systems. Cloud accounts include user accounts, service principals, managed identities (Azure), IAM users and roles (AWS), and service accounts (GCP). With sufficient access, adversaries create secondary credentialed accounts that do not require persistent remote access tools. Known actors include APT29 (creating Azure AD users), LAPSUS$ (creating global admin accounts in victim cloud tenants), and the AADInternals toolkit. Cloud accounts can be scoped to specific services to reduce detection surface and are often followed by credential additions or role escalation for persistence.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1136 Create Account
- Sub-technique
- T1136.003 Cloud Account
- Canonical reference
- https://attack.mitre.org/techniques/T1136/003/
KQL Detection Query
// Branch 1: Azure AD / Entra ID — New user or service principal creation
let AzureADAccountCreation = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("Add user", "Add service principal", "Add application", "Add service principal credentials")
| where Result == "success"
| extend TargetObjectId = tostring(TargetResources[0].id)
| extend TargetDisplayName = tostring(TargetResources[0].displayName)
| extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
| extend TargetType = tostring(TargetResources[0].type)
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorApp = tostring(InitiatedBy.app.displayName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend Category = tostring(Category)
| extend IsServicePrincipal = OperationName has_any ("service principal", "application")
| project TimeGenerated, OperationName, TargetDisplayName, TargetUPN, TargetType,
InitiatorUPN, InitiatorApp, InitiatorIP, IsServicePrincipal, Category, CorrelationId;
// Branch 2: AWS CloudTrail — IAM user or role creation
let AWSIAMCreation = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName in ("CreateUser", "CreateRole", "CreateServiceLinkedRole", "CreateVirtualMFADevice")
| where ErrorCode == ""
| extend ActorArn = UserIdentityArn
| extend ActorType = UserIdentityType
| extend ActorUserName = UserIdentityUserName
| extend SourceIP = SourceIpAddress
| extend TargetUser = tostring(parse_json(RequestParameters).userName)
| extend TargetRole = tostring(parse_json(RequestParameters).roleName)
| extend TargetName = coalesce(TargetUser, TargetRole)
| project TimeGenerated, EventName, TargetName, ActorArn, ActorType, ActorUserName, SourceIP, AWSRegion, RecipientAccountId;
// Branch 3: Office 365 — New user added by admin
let O365UserCreation = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("Add user.", "New-MsolUser", "New-AzureADUser")
| extend ActorUPN = UserId
| extend TargetUPN = ObjectId
| extend IPAddress = ClientIP
| project TimeGenerated, Operation, ActorUPN, TargetUPN, IPAddress, OfficeWorkload, OrganizationId;
// Combine and surface for review
union
(AzureADAccountCreation | extend Source="AzureAD", Actor=coalesce(InitiatorUPN, InitiatorApp), Target=coalesce(TargetUPN, TargetDisplayName), IPAddress=InitiatorIP),
(AWSIAMCreation | extend Source="AWS", Actor=ActorUserName, Target=TargetName, IPAddress=SourceIP),
(O365UserCreation | extend Source="O365", Actor=ActorUPN, Target=TargetUPN, IPAddress=IPAddress)
| project TimeGenerated, Source, OperationName=coalesce(OperationName, EventName, Operation), Actor, Target, IPAddress
| sort by TimeGenerated descMulti-branch detection covering cloud account creation across Azure AD/Entra ID (AuditLogs), AWS (AWSCloudTrail), and Office 365 (OfficeActivity). Branch 1 detects new Azure AD users, service principals, and applications — the primary targets for APT29 and AADInternals. Branch 2 detects AWS IAM user and role creation events where no error code is present (successful creation). Branch 3 catches O365 admin-driven user provisioning via PowerShell cmdlets. All branches are unioned and surfaced with a normalized Actor/Target/IPAddress schema for analyst review.
Data Sources
Required Tables
False Positives & Tuning
- IT helpdesk and identity administrators creating legitimate new employee accounts during onboarding
- DevOps pipelines creating service principals or managed identities for application deployments
- HR-driven automated provisioning systems (Workday, ServiceNow) that create cloud accounts on hire
- Break-glass account creation during incident response or disaster recovery testing
- Security teams running purple team exercises or authorized AADInternals testing
Other platforms for T1136.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Azure AD User via Azure CLI
Expected signal: Azure AD AuditLogs: OperationName='Add user', Result='success', InitiatedBy.user.userPrincipalName=<your admin UPN>, TargetResources[0].displayName='df00tech-test-user'. The event appears within 1-2 minutes of execution.
- Test 2Create Azure Service Principal via PowerShell (AADInternals Pattern)
Expected signal: Azure AD AuditLogs: two sequential events — OperationName='Add application' followed within seconds by OperationName='Add service principal', then OperationName='Add service principal credentials'. All three events share the same CorrelationId or occur within the same 1-minute window from the same InitiatedBy UPN.
- Test 3Create AWS IAM User with Access Keys
Expected signal: AWS CloudTrail: CreateUser event with requestParameters.userName='df00tech-atomic-test-user' and responseElements.user.arn containing the new user ARN. Followed within seconds by CreateAccessKey event with the same userName. Both events share the sourceIPAddress of the calling machine and the userIdentity.arn of the executing role.
- Test 4Create Azure AD User via AADInternals PowerShell Module
Expected signal: Azure AD AuditLogs: OperationName='Add user', Result='success'. The InitiatedBy field will show the authenticated user's UPN (not an application identity, since AADInternals authenticates as the user). Sysmon Event ID 1 on the Windows host: Process Create for powershell.exe with CommandLine containing 'AADInternals' and 'New-AADIntUser'. PowerShell ScriptBlock Log Event ID 4104 captures the full command including credentials (monitor for this in SIEM).
References (10)
- https://attack.mitre.org/techniques/T1136/003/
- https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
- https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
- https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser
- https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://aadinternals.com/aadinternals/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md
Unlock Pro Content
Get the full detection package for T1136.003 including response playbook, investigation guide, and atomic red team tests.