Detect Cloud API in Microsoft Sentinel
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.009 Cloud API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/009/
KQL Detection Query
let SuspiciousAPICalls = dynamic([
"CreateUser", "AttachUserPolicy", "CreateAccessKey",
"CreateRole", "AssumeRole", "GetSessionToken",
"PutBucketPolicy", "DeleteBucketPolicy",
"CreateFunction", "UpdateFunctionCode",
"RunInstances", "CreateKeyPair",
"StopLogging", "DeleteTrail", "PutEventSelectors",
"DisableGuardDuty", "DeleteDetector",
"CreateGroup", "AddMemberToGroup",
"InviteUser", "AddMember",
"roleDefinitions/write", "roleAssignments/write"
]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (SuspiciousAPICalls)
| union (
AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue has_any ("roleDefinitions/write", "roleAssignments/write", "Microsoft.Compute/virtualMachines/write")
)
| union (
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName has_any (SuspiciousAPICalls)
| where UserIdentityType != "AssumedRole" or isnotempty(ErrorCode)
)
| project TimeGenerated, OperationName, Identity, CallerIpAddress, ResultType, ResultDescription
| sort by TimeGenerated descDetects suspicious cloud API calls across Azure (AuditLogs, AzureActivity), AWS (AWSCloudTrail), and GCP environments in Microsoft Sentinel. Identifies IAM manipulation (user/role creation, policy attachment), security feature disabling (CloudTrail, GuardDuty), compute resource creation, and privilege escalation via role assignments.
Data Sources
Required Tables
False Positives & Tuning
- Cloud administrators creating IAM users and roles during onboarding or infrastructure provisioning
- Infrastructure-as-Code tools (Terraform, CloudFormation, Pulumi) creating cloud resources programmatically
- CI/CD pipelines deploying Lambda functions or updating compute resources
Other platforms for T1059.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS IAM User Enumeration via CLI
Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.
- Test 2Azure Role Assignment Enumeration
Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.
- Test 3AWS CloudTrail Status Check
Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.
References (6)
- https://attack.mitre.org/techniques/T1059/009/
- https://github.com/Azure/azure-powershell
- https://docs.aws.amazon.com/cli/latest/reference/
- https://cloud.google.com/sdk/gcloud/reference
- https://github.com/RhinoSecurityLabs/pacu
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.