T1059.009 Google Chronicle · YARA-L

Detect Cloud API in Google Chronicle

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.009 Cloud API
Canonical reference
https://attack.mitre.org/techniques/T1059/009/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule suspicious_cloud_api_abuse_t1059_009 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious cloud API calls indicative of T1059.009 abuse covering IAM manipulation, security control disabling, and compute provisioning via AWS and Azure provider APIs"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.009"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1059/009/"

  events:
    (
      $e.metadata.product_name = "AWS CloudTrail" or
      $e.metadata.product_name = "Azure Activity" or
      $e.metadata.product_name = "Azure Audit"
    )
    re.regex($e.target.resource.name,
      `(?i)(CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole|AssumeRole|GetSessionToken|PutBucketPolicy|DeleteBucketPolicy|CreateFunction|UpdateFunctionCode|RunInstances|CreateKeyPair|StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector|CreateGroup|AddMemberToGroup|roleDefinitions/write|roleAssignments/write|virtualMachines/write)`
    )
    $e.principal.ip = $src_ip
    $e.principal.user.userid = $actor

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting suspicious cloud API operations across AWS CloudTrail and Azure audit log sources ingested into Google Chronicle. Uses the UDM target.resource.name field to match high-risk API actions across IAM manipulation, security service disabling, and compute resource creation. Case-insensitive regex matching handles both AWS CamelCase event names and Azure lowercase ARM operation paths.

Data Sources

AWS CloudTrailAzure Activity LogsAzure Audit Logs

Required Tables

AWS CloudTrail UDM ingestion feedAzure Activity UDM ingestion feed

False Positives & Tuning

  • Authorized cloud infrastructure automation using service accounts with broad permissions — Terraform pipelines running role creation and Lambda deployment generate expected IAM events that should be excluded via allowlist on principal.user.userid
  • Cloud security posture management tools with automated remediation capabilities may legitimately invoke StopLogging or modify role policies as part of auto-fix workflows triggered by compliance violations
  • AWS Organizations management accounts performing bulk cross-account role assignments during onboarding of new member accounts will produce high-volume legitimate roleAssignments/write and CreateRole events
Download portable Sigma rule (.yml)

Other platforms for T1059.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS IAM User Enumeration via CLI

    Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.

  2. Test 2Azure Role Assignment Enumeration

    Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.

  3. Test 3AWS CloudTrail Status Check

    Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1078.004Cloud AccountsT1098Account ManipulationT1562.008Disable or Modify Cloud LogsT1537Transfer Data to Cloud AccountT1578Modify Cloud Compute InfrastructureT1550.001Application Access Token

Same Tactic: Execution

Popular Detections