T1098.003: Additional Cloud Roles
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5] [4]
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.[6]
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.[7]
Analyst context for executives and security teams
Additional Cloud Roles matters because it turns a cloud or SaaS account compromise into durable administrative access. If an attacker can add IAM permissions, attach policies, create a new administrator, or grant an external account access into the tenant, the incident can move from a single-account problem to a tenant-wide persistence and privilege-escalation risk.
Executive priority
Treat unexpected role or permission changes as high-priority identity and cloud governance events, not routine administration. Leaders should ask whether privileged role changes across IaaS, identity providers, Office Suite, and SaaS platforms are logged, reviewed, and tied to accountable change processes. This behavior directly affects incident containment, audit evidence, least-privilege programs, and the organization’s ability to prove that administrative access is controlled.
Technical view
SOC, cloud security, IAM, and IR teams should validate visibility into cloud role, policy, and administrator changes across supported platforms: IaaS, Identity Provider, Office Suite, and SaaS. The ATT&CK description specifically highlights IAM policy updates, adding global administrators in Office 365 environments, AWS CreatePolicyVersion, AWS AttachUserPolicy, and granting access to external accounts. Because no official ATT&CK detection text is provided, teams should use relationship context from DET0277 and build detections around role additions, policy attachment, policy version changes, privilege expansion on existing valid accounts, and role grants to accounts outside the tenant.
Likely telemetry
- Cloud IAM audit logs for policy creation, policy version changes, role assignment, and policy attachment events
- Identity provider audit logs for privileged role assignment and administrator changes
- Office Suite / SaaS administrative audit logs for new admin roles or permission changes
- Cloud control-plane API activity, including events comparable to CreatePolicyVersion and AttachUserPolicy where applicable
- Account lifecycle and change-management records for created, modified, or deactivated accounts
Detection direction
- Baseline normal privileged role assignment patterns and alert on rare, high-impact, or out-of-process changes.
- Correlate role additions with recent account creation, compromised valid-account activity, or other malicious account activity, as ATT&CK notes this may follow Create Account or modification of Valid Accounts.
- Prioritize alerts for privilege expansion that enables broad administrative access, password reset of other admins, lateral movement to additional accounts, or external account access into the tenant.
- Tune for administrative false positives by requiring change-ticket, approver, actor, source location, and timing context rather than alerting on every legitimate role update equally.
- Validate that detections cover both victim-owned accounts and adversary-controlled external accounts granted access into the tenant.
Mitigation priorities
- Enforce user account management controls for account creation, modification, review, and deactivation.
- Apply privileged account management with RBAC, least privilege, limited administrative scope, and accountability for privileged role usage.
- Require multi-factor authentication for critical cloud, SaaS, identity provider, and administrative access paths.
- Regularly review privileged role assignments, IAM policies, policy versions, and external account grants for unnecessary or unauthorized permissions.
- Integrate privileged role changes into incident response playbooks so responders can rapidly identify added roles, remove unauthorized permissions, and preserve audit evidence.
Analyst notes and limits
This sub-technique sits under Account Manipulation and is mapped to persistence and privilege escalation. Relationship context shows use by campaigns and groups including SolarWinds Compromise, C0027, LAPSUS$, Scattered Spider, and Storm-0501, but this take does not infer current activity or exposure. The practical defensive value is in confirming whether the organization can detect and govern privileged cloud role changes before they become durable attacker access.
Official ATT&CK detection guidance is not provided for this object, so detection recommendations are derived from the official description, platforms, tactics, external references, and the DET0277 relationship. Local cloud provider configuration, logging retention, identity architecture, and administrative change processes are required to determine actual coverage.
Additional Cloud Roles
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.[1][2][3][4] With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).[5] [4]
This account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.
For example, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.[6]
In some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.[7]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098 | Account Manipulation | This object subtechnique of Account Manipulation. |
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.5 | Current bundle | 466dca1fae24… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AWS IAM Policies and Permissions
AWS. (n.d.). Policies and permissions in IAM. Retrieved April 1, 2022.
Open source URL -
[2]
Google Cloud IAM Policies
Google Cloud. (2022, March 31). Understanding policies. Retrieved April 1, 2022.
Open source URL -
[3]
Microsoft Support O365 Add Another Admin, October 2019
Microsoft. (n.d.). Add Another Admin. Retrieved October 18, 2019.
Open source URL -
[4]
Microsoft O365 Admin Roles
Ako-Adjei, K., Dickhaus, M., Baumgartner, P., Faigel, D., et. al.. (2019, October 8). About admin roles. Retrieved October 18, 2019.
Open source URL -
[5]
Expel AWS Attacker
Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett. (2022, April 5). Incident report: From CLI to console, chasing an attacker in AWS. Retrieved April 7, 2022.
Open source URL -
[6]
Rhino Security Labs AWS Privilege Escalation
Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation – Methods and Mitigation. Retrieved May 27, 2022.
Open source URL -
[7]
Invictus IR DangerDev 2024
Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.
Open source URL -
[8]
mitre-attack T1098.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.