Create Account

Sub-techniques (1)

ID	Name
T1136.003	Create Cloud Account

MITRE ATT&CK Content

A threat actor using credentials with appropriate permissions is able to create an account within an AWS organization that will use the payment method registered to the management or payer account. The theat actor will then be able to create resources and workloads within the newly created account that may not be subject to existing detections. By default, Service Control Policies are not assigned to new accounts during the creation of the account within an organization.

References

mitre-attack
Microsoft User Creation Event
Symantec WastedLocker June 2020

Technique Information

ID: T1136

Aliases: T1136

Sub-techniques:

T1136.003

Tactics:

Persistence

Platforms:

Windows
Azure AD
Office 365
IaaS
Linux
macOS
Google Workspace
Network
Containers
SaaS
Amazon Web Services (AWS)

Created: 12 Sep 2024

Last Modified: 03 Jun 2025