Detect Cloud API in Sumo Logic CSE
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.009 Cloud API
- Canonical reference
- https://attack.mitre.org/techniques/T1059/009/
Sumo Detection Query
(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activity OR _sourceCategory=azure/audit)
| json field=_raw "eventName" as eventName nodrop
| json field=_raw "operationName" as operationName nodrop
| json field=_raw "userIdentity.arn" as userArn nodrop
| json field=_raw "userIdentity.type" as identityType nodrop
| json field=_raw "sourceIPAddress" as sourceIP nodrop
| json field=_raw "awsRegion" as awsRegion nodrop
| json field=_raw "errorCode" as errorCode nodrop
| json field=_raw "errorMessage" as errorMessage nodrop
| where eventName in ("CreateUser", "AttachUserPolicy", "CreateAccessKey", "CreateRole", "AssumeRole", "GetSessionToken", "PutBucketPolicy", "DeleteBucketPolicy", "CreateFunction", "UpdateFunctionCode", "RunInstances", "CreateKeyPair", "StopLogging", "DeleteTrail", "PutEventSelectors", "DisableGuardDuty", "DeleteDetector", "CreateGroup", "AddMemberToGroup") OR operationName matches /roleDefinitions\/write|roleAssignments\/write|virtualMachines\/write/
| eval iam_change = if(eventName in ("CreateUser", "AttachUserPolicy", "CreateAccessKey", "CreateRole"), 1, 0)
| eval security_disable = if(eventName in ("StopLogging", "DeleteTrail", "PutEventSelectors", "DisableGuardDuty", "DeleteDetector"), 1, 0)
| eval priv_esc = if(eventName in ("AssumeRole", "AttachUserPolicy"), 1, 0)
| eval compute_create = if(eventName in ("RunInstances", "CreateFunction", "UpdateFunctionCode"), 1, 0)
| eval suspicion_score = iam_change * 2 + security_disable * 3 + priv_esc * 2 + compute_create
| where suspicion_score > 0
| table _messageTime, eventName, operationName, userArn, identityType, sourceIP, awsRegion, errorCode, errorMessage, iam_change, security_disable, priv_esc, compute_create, suspicion_score
| sort by suspicion_score descDetects suspicious cloud API calls from AWS CloudTrail and Azure Activity logs in Sumo Logic using a multi-factor suspicion scoring model equivalent to the Splunk detection. Security control disabling events score highest (3), followed by IAM manipulation and privilege escalation (2), and compute provisioning (1). JSON field extraction covers both AWS and Azure event schemas. Only records with a non-zero suspicion score are surfaced.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment pipelines using IAM roles will generate AssumeRole and CreateFunction events at expected intervals aligned with release schedules — create a Sumo Logic allowlist lookup table for known pipeline ARNs
- On-call engineers using aws CLI to investigate live incidents will generate GetSessionToken and AssumeRole events from residential or mobile IP addresses outside corporate egress ranges during after-hours emergencies
- Multi-account AWS Organizations setups where a central management account routinely creates and attaches policies to delegated accounts via IAM automation will produce high volumes of legitimate AttachUserPolicy and CreateRole events
Other platforms for T1059.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS IAM User Enumeration via CLI
Expected signal: CloudTrail: ListUsers API call with source IP, user identity ARN, and user agent showing 'aws-cli'. The event will be logged regardless of success or failure.
- Test 2Azure Role Assignment Enumeration
Expected signal: Azure Activity Log: Microsoft.Authorization/roleAssignments/read operation. Sign-in log showing authentication event for the Azure CLI client.
- Test 3AWS CloudTrail Status Check
Expected signal: CloudTrail: GetTrailStatus API call. This read-only call is benign but its presence before StopLogging calls is a strong indicator pattern.
References (6)
- https://attack.mitre.org/techniques/T1059/009/
- https://github.com/Azure/azure-powershell
- https://docs.aws.amazon.com/cli/latest/reference/
- https://cloud.google.com/sdk/gcloud/reference
- https://github.com/RhinoSecurityLabs/pacu
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
Unlock Pro Content
Get the full detection package for T1059.009 including response playbook, investigation guide, and atomic red team tests.