title: Additional Cloud Credentials (T1098.001)
id: df00tech-t1098-001
status: experimental
description: "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. This includes adding credentials to Azure/Entra ID Service Principals and Applications (x509 keys and passwords), generating or importing SSH keys in AWS/GCP, creating AWS IAM access keys or login profiles, and adding app passwords to Entra ID user accounts to bypass MFA. These techniques allow persistent access even if the original compromised credentials are rotated."
references:
  - https://attack.mitre.org/techniques/T1098/001/
  - https://df00tech.com/detections/T1098.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate DevOps automation rotating service principal credentials on a schedule (CI/CD pipelines, Terraform, Ansible)"
  - Application registrations during normal software development lifecycle where developers add test credentials
  - Break-glass/emergency account setup by authorized IT administrators during incident response
  - Managed Identity and service connection setup during Azure DevOps pipeline configuration by authorized teams
  - "App password creation by end users for legacy applications (e.g., Office clients without MFA support) when permitted by policy"
level: high