DET0008: Behavioral Detection of Remote Cloud Logins via Valid Accounts
This detection strategy matters because remote logins to cloud services with legitimate credentials can look like normal business activity while enabling l...
Analyst context for executives and security teams
This detection strategy matters because remote logins to cloud services with legitimate credentials can look like normal business activity while enabling lateral movement into SaaS, identity-provider, office-suite, or IaaS environments. For leaders, the practical question is whether the organization can distinguish expected user access from unusual cloud access patterns when credentials are valid and no malware is required.
Executive priority
Prioritize this as an identity and cloud resilience issue, not just a SOC alerting problem. Because the related ATT&CK technique is Cloud Services under lateral movement, executives should ask whether cloud authentication logs, identity-provider evidence, and cloud control-plane activity are retained, monitored, and usable during incident response. This also supports audit and compliance evidence by showing whether access to cloud-hosted resources can be reviewed when federated or synchronized identities are used.
Technical view
MITRE provides no standalone description or detection logic for DET0008, so validation should be anchored to its relationship: it detects T1021.007 Cloud Services. SOC and detection teams should confirm visibility into remote logins to cloud services using valid accounts, especially where identities are synchronized or federated with on-premises credentials. Detection engineering should focus on behavioral context around cloud service access, such as unexpected login patterns, unusual access paths to web consoles or cloud CLI/API activity, and follow-on management actions or access to cloud-hosted resources by the logged-on user.
Likely telemetry
- Identity provider authentication logs for federated or synchronized users
- Cloud service sign-in and session logs
- SaaS and office-suite access logs
- IaaS control-plane or management activity logs
- Cloud CLI or API usage records where available
Detection direction
- Validate that detections are based on behavior around valid-account cloud logins, not only failed authentication or malware indicators.
- Correlate authentication events with subsequent cloud management actions or access to cloud-hosted resources.
- Tune for legitimate remote work, administrator activity, automation, and service access patterns to reduce false positives.
- Check blind spots around federated identity flows, cloud web console access, and cloud CLI/API activity, because these may be logged in different systems.
- Use the related technique context, T1021.007 Cloud Services, to ensure coverage spans IaaS, identity provider, office-suite, and SaaS environments where applicable.
Mitigation priorities
- Ensure cloud and identity audit logging is enabled, retained, and accessible for investigation.
- Strengthen identity controls for accounts that can access cloud services, especially privileged or federated accounts.
- Review conditional access, session controls, and administrative access governance where cloud logins could enable lateral movement.
- Maintain incident response procedures for investigating valid-account cloud access, including identity-provider and cloud-control-plane evidence collection.
- Regularly test whether SOC workflows can connect a remote cloud login to later cloud resource access or management activity.
Analyst notes and limits
The supplied object is a MITRE detection strategy with no official description, no official detection text, and no tactics or platforms directly listed on the strategy itself. The useful context comes from the relationship showing that DET0008 detects T1021.007 Cloud Services, a lateral movement technique involving valid accounts and cloud services.
This take is limited to the provided ATT&CK fields and relationship context. It does not assert active exploitation, attribution, specific vendor coverage, or guaranteed detection. Local architecture, identity federation design, logging configuration, and cloud service usage determine the actual detection and response requirements.
Behavioral Detection of Remote Cloud Logins via Valid Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.007 | Cloud Services Sub-technique | This object detects Cloud Services. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b96b62d8ca9e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.