T1059.009 CrowdStrike LogScale · LogScale

Detect Cloud API in CrowdStrike LogScale

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.009 Cloud API
Canonical reference
https://attack.mitre.org/techniques/T1059/009/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#kind = "CloudAuditActivity"
| eventName != ""
| eventName = /CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole|AssumeRole|GetSessionToken|PutBucketPolicy|DeleteBucketPolicy|CreateFunction|UpdateFunctionCode|RunInstances|CreateKeyPair|StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector|CreateGroup|AddMemberToGroup/
| iamChange := case {
    eventName = /CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole/ => 1 ;
    * => 0
  }
| securityDisable := case {
    eventName = /StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector/ => 1 ;
    * => 0
  }
| privEsc := case {
    eventName = /AssumeRole|AttachUserPolicy/ => 1 ;
    * => 0
  }
| computeCreate := case {
    eventName = /RunInstances|CreateFunction|UpdateFunctionCode/ => 1 ;
    * => 0
  }
| suspicionScore := iamChange * 2 + securityDisable * 3 + privEsc * 2 + computeCreate
| suspicionScore > 0
| groupBy(
    [eventName, userIdentity, sourceIPAddress, awsRegion, cloudProvider],
    function=[
      count(as=eventCount),
      max(field=suspicionScore, as=maxScore),
      collect(field=errorCode, limit=10)
    ]
  )
| sort(maxScore, order=desc)
high severity medium confidence

CrowdStrike LogScale query detecting suspicious cloud API activity from Falcon Horizon cloud audit telemetry ingested via the Falcon Cloud Security module. Implements weighted suspicion scoring equivalent to the Splunk detection — security control disabling scores highest (3x weight), IAM changes and privilege escalation score 2x, and compute provisioning scores 1x. Results are grouped by actor identity and API action to surface high-frequency abuse patterns and reveal the full scope of activity per identity.

Data Sources

CrowdStrike Falcon HorizonAWS CloudTrail via Falcon Cloud SecurityAzure Activity via Falcon Cloud Security

Required Tables

CloudAuditActivity

False Positives & Tuning

  • Falcon Horizon reports legitimate AssumeRole events from cross-account access patterns used by centralized security tooling or AWS Organizations management accounts — add these known role ARNs to a suppression list in the Falcon console
  • Automated remediation rules in Falcon Cloud Security may themselves trigger RunInstances or UpdateFunctionCode API calls when auto-remediating misconfigurations, creating feedback loop detections that should be filtered by the Falcon service principal identity
  • CI/CD pipeline service accounts with overly broad IAM permissions generate IAM-related API calls during normal deployment cycles — apply allowlisting on userIdentity for known deployment automation accounts to reduce noise
Download portable Sigma rule (.yml)

Other platforms for T1059.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS IAM User Enumeration via CLI

    Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.

  2. Test 2Azure Role Assignment Enumeration

    Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.

  3. Test 3AWS CloudTrail Status Check

    Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1078.004Cloud AccountsT1098Account ManipulationT1562.008Disable or Modify Cloud LogsT1537Transfer Data to Cloud AccountT1578Modify Cloud Compute InfrastructureT1550.001Application Access Token

Same Tactic: Execution

Popular Detections