title: Cloud Services (T1021.007)
id: df00tech-t1021-007
status: experimental
description: "Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. Many enterprises federate user identities to cloud services (Azure AD/Entra ID, AWS, GCP, M365), allowing adversaries with compromised on-premises credentials to move laterally into cloud control planes. APT29 leveraged synced high-privileged accounts to move into Office 365/Azure. Storm-0501 abused Entra Connect Sync Server for hybrid lateral movement. Scattered Spider used existing AWS EC2 instances for lateral movement. Methods include cloud CLI tools (Connect-AZAccount, gcloud auth, aws configure), web console access, and Application Access Tokens."
references:
  - https://attack.mitre.org/techniques/T1021/007/
  - https://df00tech.com/detections/T1021.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers and DevOps engineers legitimately using cloud CLI tools (az, aws, gcloud) from their workstations"
  - CI/CD pipeline agents authenticating to cloud services for deployment automation
  - Cloud administrators performing routine management via cloud CLI from authorized workstations
  - Multi-cloud monitoring tools that authenticate to multiple cloud platforms to collect metrics
  - Azure Arc and hybrid management services that sync identities between on-premises and cloud environments
level: high