T1069.003

Cloud Groups

Discovery

Adversaries may attempt to find cloud groups and permission settings to understand role assignments, privilege levels, and group memberships within a cloud environment. Tools such as Get-MsolRole (Office 365), az ad user get-member-groups (Azure CLI), ROADTools, AADInternals, and Pacu are used to enumerate cloud identity groups. In AWS, ListRolePolicies and ListAttachedRolePolicies enumerate role policies. Adversaries use this information to identify privileged accounts, determine lateral movement paths, and select targets for privilege escalation.

Microsoft Sentinel / Defender
kusto 
let CloudGroupEnumCmdlets = dynamic([
  "Get-MsolRole", "Get-MsolRoleMember", "Get-AzureADGroup", "Get-AzureADGroupMember",
  "Get-AzureADDirectoryRole", "Get-AzureADDirectoryRoleMember",
  "Get-MgGroup", "Get-MgGroupMember", "Get-MgDirectoryRole", "Get-MgDirectoryRoleMember",
  "az ad group", "az ad user get-member-groups", "az role assignment list",
  "ListRolePolicies", "ListAttachedRolePolicies", "ListGroupPolicies",
  "Get-MsolGroupMember", "Get-AzRoleAssignment", "Get-AzADGroup"
]);
let SuspiciousTools = dynamic([
  "roadtools", "roadrecon", "aadinternals", "invoke-aadintrecon",
  "pacu", "stormspotter", "azurehound", "bloodhound"
]);
// Azure AD Audit Logs for group enumeration
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in~ (
    "List group members", "List groups", "Get group", "Get groups",
    "List directory roles", "List directory role members",
    "List role assignments", "Get role assignment"
  )
| where Result =~ "success"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project TimeGenerated, OperationName, InitiatedByUser, InitiatedByApp,
          TargetResource, IPAddress, Result, CorrelationId
| union (
    // PowerShell-based enumeration via DeviceProcessEvents
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "az")
    | where ProcessCommandLine has_any (CloudGroupEnumCmdlets)
       or ProcessCommandLine has_any (SuspiciousTools)
    | extend InitiatedByUser = AccountName
    | extend InitiatedByApp = FileName
    | extend TargetResource = ProcessCommandLine
    | extend IPAddress = ""
    | extend CorrelationId = tostring(ProcessId)
    | project TimeGenerated = Timestamp, OperationName = ProcessCommandLine,
              InitiatedByUser, InitiatedByApp, TargetResource, IPAddress, Result = "process", CorrelationId
)
| sort by TimeGenerated desc
medium severity medium confidence

Data Sources

Cloud Service: Cloud Service Enumeration Azure AD: Audit Logs Process: Process Creation Command: Command Execution

Required Tables

AuditLogs DeviceProcessEvents

False Positives

  • IT administrators performing routine group membership audits or access reviews using AzureAD PowerShell module
  • Microsoft Entra ID Governance access reviews that programmatically list group memberships
  • SIEM or CSPM tools (Defender for Cloud, Prisma Cloud) that periodically enumerate groups for compliance checks
  • HR onboarding automation scripts that query group memberships to provision or deprovision user access
  • Azure DevOps pipelines with service principals that enumerate role assignments for deployment validation
Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1069.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1069Permission Groups Discovery

Related Sub-techniques

T1069.001Local GroupsT1069.002Domain Groups

Same Tactic: Discovery

Popular Detections