title: Additional Cloud Roles (T1098.003)
id: df00tech-t1098-003
status: experimental
description: "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings, including the ability to reset the passwords of other admins. This account modification may immediately follow account creation or other malicious account activity. Adversaries may also modify existing valid accounts that they have compromised, potentially leading to privilege escalation and lateral movement to additional accounts. In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant, allowing external accounts to perform actions inside the victim tenant. Threat groups such as Scattered Spider, LAPSUS$, and Storm-0501 have used this technique to gain persistent administrative access to cloud environments."
references:
  - https://attack.mitre.org/techniques/T1098/003/
  - https://df00tech.com/detections/T1098.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate IT administrators assigning roles as part of onboarding new employees or service accounts during approved change windows
  - Privileged Identity Management (PIM) activations by authorized users performing time-bound role elevations for maintenance tasks
  - "Automated infrastructure provisioning pipelines (Terraform, Bicep, ARM templates) that assign roles as part of resource deployment"
  - Help desk or identity governance processes granting temporary access to resolve user issues under a ticketed change request
  - Azure AD Connect or other hybrid identity synchronization services that periodically update role memberships
level: high