1. Home
  2. ATT&CK Techniques
  3. T1021
  4. T1021.007
Lateral Movement

T1021.007: Cloud Services

Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-prem...

T1021.007 · Sub-technique ·4 platforms ·3 groups

Description

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Many enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., Cloud API), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.

In some cases, adversaries may be able to authenticate to these services via Application Access Token instead of a username and password.

Network Pentesting Methodology

Read our in-depth pentesting guide related to this technique

Platforms

IaaSIdentity ProviderOffice SuiteSaaS

Mitigations (2)

Multi-factor AuthenticationM1032

Use multi-factor authentication on cloud services whenever possible.

Privileged Account ManagementM1026

Limit the number of high-privileged domain and cloud accounts, and ensure that these are not used for day-to-day operations. Ensure that on-premises accounts do not have privileged cloud permissions and that isolated, cloud-only accounts are used for managing cloud environments.(Citation: Protecting Microsoft 365 From On-Premises Attacks)

Threat Groups (3)

IDGroupContext
G1053Storm-0501[Storm-0501](https://attack.mitre.org/groups/G1053) has used compromised Entra Connect Sync Server to move laterally within the victim environment.(Ci...
G0016APT29[APT29](https://attack.mitre.org/groups/G0016) has leveraged compromised high-privileged on-premises accounts synced to Office 365 to move laterally i...
G1015Scattered Spider[Scattered Spider](https://attack.mitre.org/groups/G1015) has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection p...

Frequently Asked Questions

What is T1021.007 (Cloud Services)?

T1021.007 is a MITRE ATT&CK technique named 'Cloud Services'. It belongs to the Lateral Movement tactic(s). Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-prem...

How can T1021.007 be detected?

Detection of T1021.007 (Cloud Services) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1021.007?

There are 2 documented mitigations for T1021.007. Key mitigations include: Multi-factor Authentication, Privileged Account Management.

Which threat groups use T1021.007?

Known threat groups using T1021.007 include: Storm-0501, APT29, Scattered Spider.