Detect Cloud Groups in Microsoft Sentinel
Adversaries may attempt to find cloud groups and permission settings to understand role assignments, privilege levels, and group memberships within a cloud environment. Tools such as Get-MsolRole (Office 365), az ad user get-member-groups (Azure CLI), ROADTools, AADInternals, and Pacu are used to enumerate cloud identity groups. In AWS, ListRolePolicies and ListAttachedRolePolicies enumerate role policies. Adversaries use this information to identify privileged accounts, determine lateral movement paths, and select targets for privilege escalation.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1069 Permission Groups Discovery
- Sub-technique
- T1069.003 Cloud Groups
- Canonical reference
- https://attack.mitre.org/techniques/T1069/003/
KQL Detection Query
let CloudGroupEnumCmdlets = dynamic([
"Get-MsolRole", "Get-MsolRoleMember", "Get-AzureADGroup", "Get-AzureADGroupMember",
"Get-AzureADDirectoryRole", "Get-AzureADDirectoryRoleMember",
"Get-MgGroup", "Get-MgGroupMember", "Get-MgDirectoryRole", "Get-MgDirectoryRoleMember",
"az ad group", "az ad user get-member-groups", "az role assignment list",
"ListRolePolicies", "ListAttachedRolePolicies", "ListGroupPolicies",
"Get-MsolGroupMember", "Get-AzRoleAssignment", "Get-AzADGroup"
]);
let SuspiciousTools = dynamic([
"roadtools", "roadrecon", "aadinternals", "invoke-aadintrecon",
"pacu", "stormspotter", "azurehound", "bloodhound"
]);
// Azure AD Audit Logs for group enumeration
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in~ (
"List group members", "List groups", "Get group", "Get groups",
"List directory roles", "List directory role members",
"List role assignments", "Get role assignment"
)
| where Result =~ "success"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project TimeGenerated, OperationName, InitiatedByUser, InitiatedByApp,
TargetResource, IPAddress, Result, CorrelationId
| union (
// PowerShell-based enumeration via DeviceProcessEvents
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "az.cmd", "az")
| where ProcessCommandLine has_any (CloudGroupEnumCmdlets)
or ProcessCommandLine has_any (SuspiciousTools)
| extend InitiatedByUser = AccountName
| extend InitiatedByApp = FileName
| extend TargetResource = ProcessCommandLine
| extend IPAddress = ""
| extend CorrelationId = tostring(ProcessId)
| project TimeGenerated = Timestamp, OperationName = ProcessCommandLine,
InitiatedByUser, InitiatedByApp, TargetResource, IPAddress, Result = "process", CorrelationId
)
| sort by TimeGenerated descDetects cloud group enumeration activity across Azure AD Audit Logs and endpoint process events. Monitors Azure AD Audit Logs for group/role listing operations (List group members, List directory roles, List role assignments) and DeviceProcessEvents for PowerShell cmdlets and CLI commands used to enumerate cloud groups such as Get-MsolRole, Get-AzureADGroup, az ad group, and known enumeration tools like ROADTools, AADInternals, AzureHound, and Pacu.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators performing routine group membership audits or access reviews using AzureAD PowerShell module
- Microsoft Entra ID Governance access reviews that programmatically list group memberships
- SIEM or CSPM tools (Defender for Cloud, Prisma Cloud) that periodically enumerate groups for compliance checks
- HR onboarding automation scripts that query group memberships to provision or deprovision user access
- Azure DevOps pipelines with service principals that enumerate role assignments for deployment validation
Other platforms for T1069.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Azure AD Groups via MSOnline PowerShell Module
Expected signal: Sysmon Event ID 1: PowerShell process creation with CommandLine containing 'Get-MsolRole' and 'Get-MsolRoleMember'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Azure AD Audit Logs: 'List directory roles' and 'List directory role members' operations attributed to the authenticated user. Sysmon Event ID 3: Outbound network connections to login.microsoftonline.com and graph.windows.net.
- Test 2Enumerate Azure AD Groups via Azure CLI
Expected signal: Sysmon Event ID 1: az.cmd process creation with CommandLine containing 'ad group list', 'ad user get-member-groups', 'role assignment list'. Sysmon Event ID 3: Network connections to management.azure.com and graph.microsoft.com. Azure AD Audit Logs: 'List groups', 'List role assignments' operations. File creation events (Sysmon ID 11) for output files in TEMP directory.
- Test 3Enumerate AWS IAM Role Policies via AWS CLI
Expected signal: Sysmon Event ID 1: PowerShell and aws.exe process creation events with CommandLine containing 'list-roles', 'list-role-policies', 'list-attached-role-policies', 'list-groups'. Sysmon Event ID 3: Outbound connections to iam.amazonaws.com (port 443). File creation events for output files. AWS CloudTrail: ListRoles, ListRolePolicies, ListAttachedRolePolicies, ListGroups API calls attributed to the IAM principal.
- Test 4Enumerate Azure AD Groups using Microsoft Graph PowerShell SDK
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Get-MgGroup', 'Get-MgDirectoryRole', 'Get-MgDirectoryRoleMember'. Sysmon Event ID 3: Outbound connections to graph.microsoft.com (port 443). PowerShell ScriptBlock Log Event ID 4104. Azure AD Audit Logs: 'List groups', 'List directory roles', 'List directory role members' operations. Sysmon Event ID 11: CSV file creation in TEMP directory.
References (13)
- https://attack.mitre.org/techniques/T1069/003/
- https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0
- https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
- https://cloud.google.com/identity/docs/reference/rest
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
- https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
- https://github.com/dirkjanm/ROADtools
- https://o365blog.com/post/aadinternals/
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/BloodHoundAD/AzureHound
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
- https://learn.microsoft.com/en-us/graph/api/group-list-members
Unlock Pro Content
Get the full detection package for T1069.003 including response playbook, investigation guide, and atomic red team tests.