Establish Accounts:
Cloud Accounts

ID Name
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1585.003 Cloud Accounts

Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.[1]

攻撃者は、攻撃目標中に使用することができるクラウドアカウントを侵害することがあります。攻撃者は、Dropbox、Microsoft OneDrive、AWS S3バケットなどのクラウドストレージサービスを利用して、Cloud Storage への抽出またはツールのアップロード用に、作成したクラウド アカウントを使用して作戦を進めることができます。また、クラウドアカウントは、仮想プライベートサーバやサーバレスインフラなどのインフラを獲得する際にも使用されることがあります。クラウドアカウントを作成することで、攻撃者は自身のサーバを管理することなく、高度な機能を開発することができます[1]。

Creating Cloud Accounts may also require adversaries to establish Email Accounts to register with the cloud provider.


ID: T1585.003
Sub-technique of:  T1585
Platforms: PRE
Contributors: Francesco Bigarella
Version: 1.1
Created: 27 May 2022
Last Modified: 25 October 2022


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during exfiltration (ex: Transfer Data to Cloud Account).