Azure Add App Role Assignment To Service Principal
Grants an application role to a service principal, allowing it to act with that role's permissions within the application.
T1098: Account Manipulation
T1098: Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.
View on MITRE ATT&CK →Azure Add Application
Creates and registers a new application in Microsoft Entra ID, establishing an identity that can authenticate and request access tokens.
Azure Add Eligible Member To Role In Pim Completed
Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.
Azure Add Member To Role
Directly assigns a user or service principal to an Entra ID directory role, granting that role's permissions.
Azure Add Owner To Application
Adds an owner to an Entra ID application registration, granting them management rights over the application.
Azure Add Owner To Group
Adds an owner to a group, granting the ability to modify group membership for lateral movement.
Azure Add Role Definition
Creates a new custom Azure RBAC role definition with specified allowed and denied actions.
Azure Add Service Principal
Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.
Azure Add User
Creates a new user account in Microsoft Entra ID.
GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
AWS AddPermission20150331v2
Adds a permission to a Lambda function's resource-based policy, allowing specified principals to invoke the function.
AWS AddUserToGroup
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
Azure Admin Registered Security Info
Records an administrator registering authentication methods (e.g., MFA) on behalf of another user in Entra ID.
AWS AssociateIamInstanceProfile
Associates an IAM instance profile with an EC2 instance, granting the instance permissions defined by the profile's IAM role.
AWS AttachGroupPolicy
Attaches a managed IAM policy to a group, granting all group members the permissions defined in that policy.
AWS AttachRolePolicy
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
AWS AttachUserPolicy
Attaches a managed IAM policy directly to an IAM user, granting them the permissions defined in that policy.
AWS ChangePassword
Allows an IAM user to change their own AWS Management Console login password.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP compute.instances.setServiceAccount
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
Azure Consent To Application
Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.
AWS CreateAccessEntry
Creates an access entry for an EKS cluster, granting an IAM principal Kubernetes API access via EKS access management.
AWS CreateAccessKey
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
AWS CreateDevEndpoint
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
AWS CreateLoginProfile
Creates a password for an IAM user, enabling them to sign into the AWS Management Console.
AWS CreatePolicy
Creates a new managed IAM policy that can be attached to users, groups, or roles to define permissions.
AWS CreatePolicyVersion
Creates a new version of an IAM managed policy, which can optionally be set as the default active version.
AWS CreateRole
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
AWS CreateServiceLinkedRole
Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.
AWS CreateUser
Creates a new IAM user in the AWS account for programmatic or console-based access.
AWS CreateVirtualMFADevice
Creates a virtual MFA device that can be associated with an IAM user for multi-factor authentication.
AWS DeleteVirtualMFADevice
Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
Azure Microsoft.Authorization/roleAssignments/write
Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.
Azure Microsoft.Directory/groups/members/update
Adds or removes members from an Entra ID security group or Microsoft 365 group.
Azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
AWS PutGroupPolicy
Creates or updates an inline policy embedded directly in an IAM group.
AWS PutKeyPolicy
Modifies a KMS key policy to grant cross-account access or expand key usage permissions.
AWS PutRolePolicy
Creates or updates an inline policy embedded directly in an IAM role.
AWS PutUserPolicy
Creates or updates an inline policy embedded directly in an IAM user.
Azure Reset User Password
Resets an Entra ID user's password through an administrative action.
AWS SetDefaultPolicyVersion
Sets the default version of an IAM managed policy, changing which version of the policy is active for all attached entities.
Azure Update Role Definition
Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.
Azure Update User Authentication Methods
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
AWS UpdateAccessKey
Changes the status of an IAM user's access key between Active and Inactive.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.
AWS UpdateDevEndpoint
Updates a Glue development endpoint, potentially injecting SSH public keys for unauthorized access.
AWS UpdateLoginProfile
Updates the console login password for an IAM user.