Detect Cloud API in Elastic Security
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.009 Cloud API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/009/
Elastic Detection Query
any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "azure.auditlogs") and
(
event.action in (
"CreateUser", "AttachUserPolicy", "CreateAccessKey",
"CreateRole", "AssumeRole", "GetSessionToken",
"PutBucketPolicy", "DeleteBucketPolicy",
"CreateFunction", "UpdateFunctionCode",
"RunInstances", "CreateKeyPair",
"StopLogging", "DeleteTrail", "PutEventSelectors",
"DisableGuardDuty", "DeleteDetector",
"CreateGroup", "AddMemberToGroup"
) or
event.action like~ "*roleDefinitions/write*" or
event.action like~ "*roleAssignments/write*" or
event.action like~ "*virtualMachines/write*"
)Detects suspicious cloud API calls across AWS and Azure environments indicating potential abuse for execution, privilege escalation, or defense evasion. Monitors IAM manipulation, security service disabling, and compute provisioning from cloud audit log sources ingested via Elastic Agent integrations. Covers the full T1059.009 kill chain from initial access through persistence.
Data Sources
Required Tables
False Positives & Tuning
- DevOps automation pipelines (GitHub Actions, GitLab CI, Jenkins) using dedicated IAM service accounts will generate CreateAccessKey, AssumeRole, and CreateFunction events at predictable intervals aligned with deployment schedules
- Infrastructure-as-code tools (Terraform, AWS CDK, Pulumi) executing planned cloud resource provisioning will produce IAM role creation, Lambda function updates, and EC2 instance launches as expected change management activities
- Cloud security posture management (CSPM) tools such as Prisma Cloud or Wiz using read-heavy API calls may co-occur with occasional write operations during automated remediation workflows
Other platforms for T1059.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS IAM User Enumeration via CLI
Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.
- Test 2Azure Role Assignment Enumeration
Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.
- Test 3AWS CloudTrail Status Check
Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.
References (6)
- https://attack.mitre.org/techniques/T1059/009/
- https://github.com/Azure/azure-powershell
- https://docs.aws.amazon.com/cli/latest/reference/
- https://cloud.google.com/sdk/gcloud/reference
- https://github.com/RhinoSecurityLabs/pacu
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.