title: Cloud Account (T1136.003)
id: df00tech-t1136-003
status: experimental
description: "Adversaries may create cloud accounts to maintain access to victim systems. Cloud accounts include user accounts, service principals, managed identities (Azure), IAM users and roles (AWS), and service accounts (GCP). With sufficient access, adversaries create secondary credentialed accounts that do not require persistent remote access tools. Known actors include APT29 (creating Azure AD users), LAPSUS$ (creating global admin accounts in victim cloud tenants), and the AADInternals toolkit. Cloud accounts can be scoped to specific services to reduce detection surface and are often followed by credential additions or role escalation for persistence."
references:
  - https://attack.mitre.org/techniques/T1136/003/
  - https://df00tech.com/detections/T1136.003
author: df00tech
date: 2026/04/18
tags:
  - attack.t1136.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk and identity administrators creating legitimate new employee accounts during onboarding
  - DevOps pipelines creating service principals or managed identities for application deployments
  - "HR-driven automated provisioning systems (Workday, ServiceNow) that create cloud accounts on hire"
  - Break-glass account creation during incident response or disaster recovery testing
  - Security teams running purple team exercises or authorized AADInternals testing
level: high