T1059.009 IBM QRadar · QRadar

Detect Cloud API in IBM QRadar

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.009 Cloud API
Canonical reference
https://attack.mitre.org/techniques/T1059/009/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  QIDNAME(qid) AS "Event Action",
  username AS "Identity",
  sourceip AS "Source IP",
  CATEGORYNAME(category) AS "Category",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  "deviceCustomString1" AS "Error Code",
  "deviceCustomString2" AS "AWS Region",
  UTF8(payload) AS "Raw Event"
FROM events
WHERE LAST 1 DAYS
  AND (
    LOGSOURCETYPENAME(logsourceid) ILIKE '%cloudtrail%'
    OR LOGSOURCETYPENAME(logsourceid) ILIKE '%azure activity%'
    OR LOGSOURCETYPENAME(logsourceid) ILIKE '%azure audit%'
  )
  AND (
    QIDNAME(qid) IN (
      'CreateUser', 'AttachUserPolicy', 'CreateAccessKey', 'CreateRole',
      'AssumeRole', 'GetSessionToken', 'PutBucketPolicy', 'DeleteBucketPolicy',
      'CreateFunction', 'UpdateFunctionCode', 'RunInstances', 'CreateKeyPair',
      'StopLogging', 'DeleteTrail', 'PutEventSelectors',
      'DisableGuardDuty', 'DeleteDetector', 'CreateGroup', 'AddMemberToGroup'
    )
    OR UTF8(payload) ILIKE '%roleDefinitions/write%'
    OR UTF8(payload) ILIKE '%roleAssignments/write%'
    OR UTF8(payload) ILIKE '%virtualMachines/write%'
  )
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

Detects suspicious cloud API operations from AWS CloudTrail and Azure Activity log sources in IBM QRadar. Matches AWS-specific high-risk event names via QID resolution and Azure ARM operations via payload inspection. Covers IAM manipulation, security control disabling, and compute provisioning. The QIDNAME-based matching requires that cloud API events have been properly normalized in the QRadar DSM for the respective cloud log source type.

Data Sources

AWS CloudTrailAzure Activity LogsAzure Audit Logs

Required Tables

events

False Positives & Tuning

  • CloudFormation, AWS CDK, or Terraform stack deployments create IAM roles, Lambda functions, and EC2 instances as planned changes — correlate against approved change tickets to exclude these
  • Authorized cloud security assessments or penetration testing engagements using administrative API calls from known source IPs registered in the SOC allowlist
  • Service accounts used by cloud inventory or billing tools (CloudHealth, Apptio Cloudability, AWS Cost Explorer automation) that regularly invoke cloud APIs for resource discovery and cost attribution
Download portable Sigma rule (.yml)

Other platforms for T1059.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS IAM User Enumeration via CLI

    Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.

  2. Test 2Azure Role Assignment Enumeration

    Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.

  3. Test 3AWS CloudTrail Status Check

    Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.

Last updated: 2026-04-17 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1078.004Cloud AccountsT1098Account ManipulationT1562.008Disable or Modify Cloud LogsT1537Transfer Data to Cloud AccountT1578Modify Cloud Compute InfrastructureT1550.001Application Access Token

Same Tactic: Execution

Popular Detections