1. Home
  2. ATT&CK Techniques
  3. T1585
  4. T1585.003
Resource Development

T1585.003: Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such...

T1585.003 · Sub-technique ·1 platforms ·1 groups

Description

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Threat Groups (1)

IDGroupContext
G1046Storm-1811[Storm-1811](https://attack.mitre.org/groups/G1046) has created malicious accounts to enable activity via Microsoft Teams, typically spoofing various ...

References

Frequently Asked Questions

What is T1585.003 (Cloud Accounts)?

T1585.003 is a MITRE ATT&CK technique named 'Cloud Accounts'. It belongs to the Resource Development tactic(s). Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such...

How can T1585.003 be detected?

Detection of T1585.003 (Cloud Accounts) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1585.003?

There are 1 documented mitigations for T1585.003. Key mitigations include: Pre-compromise.

Which threat groups use T1585.003?

Known threat groups using T1585.003 include: Storm-1811.