T1069.003 Splunk · SPL

Detect Cloud Groups in Splunk

Adversaries may attempt to find cloud groups and permission settings to understand role assignments, privilege levels, and group memberships within a cloud environment. Tools such as Get-MsolRole (Office 365), az ad user get-member-groups (Azure CLI), ROADTools, AADInternals, and Pacu are used to enumerate cloud identity groups. In AWS, ListRolePolicies and ListAttachedRolePolicies enumerate role policies. Adversaries use this information to identify privileged accounts, determine lateral movement paths, and select targets for privilege escalation.

MITRE ATT&CK

Tactic
Discovery
Technique
T1069 Permission Groups Discovery
Sub-technique
T1069.003 Cloud Groups
Canonical reference
https://attack.mitre.org/techniques/T1069/003/

SPL Detection Query

Splunk (SPL)
spl 
index=o365 sourcetype="o365:management:activity"
  (Operation="List group members" OR Operation="List groups" OR Operation="Get group"
   OR Operation="List directory roles" OR Operation="List directory role members"
   OR Operation="List role assignments" OR Operation="Get role assignment"
   OR Operation="Member.Read.All" OR Operation="Group.Read.All")
| eval user=coalesce(UserId, Actor{}.ID)
| eval ip=coalesce(ClientIP, "unknown")
| eval app=coalesce(ApplicationId, Workload)
| stats count as TotalOps,
        dc(Operation) as UniqueOps,
        values(Operation) as Operations,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by user, ip, app
| eval TimeSpanMinutes=round((LastSeen - FirstSeen) / 60, 2)
| where TotalOps > 10 OR UniqueOps > 3
| eval SuspicionReason=case(
    TotalOps > 50, "High volume group enumeration",
    UniqueOps > 3 AND TimeSpanMinutes < 5, "Rapid multi-operation enumeration",
    TotalOps > 10, "Moderate volume group enumeration",
    true(), "Multiple group read operations"
  )
| table FirstSeen, LastSeen, user, ip, app, TotalOps, UniqueOps, TimeSpanMinutes, Operations, SuspicionReason
| sort - TotalOps
| union [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\az.cmd")
      (CommandLine="*Get-MsolRole*" OR CommandLine="*Get-AzureADGroup*" OR CommandLine="*Get-MgGroup*"
       OR CommandLine="*Get-AzureADDirectoryRole*" OR CommandLine="*az ad group*"
       OR CommandLine="*az ad user get-member-groups*" OR CommandLine="*az role assignment list*"
       OR CommandLine="*Get-AzRoleAssignment*" OR CommandLine="*Get-AzADGroup*"
       OR CommandLine="*roadrecon*" OR CommandLine="*aadinternals*" OR CommandLine="*azurehound*"
       OR CommandLine="*ListRolePolicies*" OR CommandLine="*ListAttachedRolePolicies*")
    | eval user=User, ip="endpoint", app=Image
    | eval TotalOps=1, UniqueOps=1, TimeSpanMinutes=0
    | eval SuspicionReason="Cloud group enumeration cmdlet detected on endpoint"
    | eval Operations=CommandLine
    | eval FirstSeen=_time, LastSeen=_time
    | table FirstSeen, LastSeen, user, ip, app, TotalOps, UniqueOps, TimeSpanMinutes, Operations, SuspicionReason
  ]
medium severity medium confidence

Detects cloud group enumeration by monitoring Office 365 Management Activity logs for high-volume or multi-operation group/role listing events, and Sysmon logs for endpoint execution of cloud group enumeration cmdlets and tools. The O365 component calculates enumeration volume per user per session, flagging users who perform more than 10 group operations or more than 3 distinct operation types. The Sysmon component catches specific PowerShell and CLI cmdlets used for Azure AD and AWS group enumeration.

Data Sources

Cloud Service: Cloud Service EnumerationOffice 365 Management ActivityProcess: Process CreationSysmon Event ID 1

Required Sourcetypes

o365:management:activityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT administrators performing routine group membership audits or access reviews using AzureAD PowerShell module
  • Microsoft Entra ID Governance automated access reviews that enumerate group memberships at scheduled intervals
  • SIEM or CSPM tools integrated with O365 that routinely query group membership for posture assessment
  • HR automation scripts querying group memberships for onboarding or offboarding workflows
  • Security operations tooling performing regular privileged account audits across Azure AD
Download portable Sigma rule (.yml)

Other platforms for T1069.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Azure AD Groups via MSOnline PowerShell Module

    Expected signal: Sysmon Event ID 1: PowerShell process creation with CommandLine containing 'Get-MsolRole' and 'Get-MsolRoleMember'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Azure AD Audit Logs: 'List directory roles' and 'List directory role members' operations attributed to the authenticated user. Sysmon Event ID 3: Outbound network connections to login.microsoftonline.com and graph.windows.net.

  2. Test 2Enumerate Azure AD Groups via Azure CLI

    Expected signal: Sysmon Event ID 1: az.cmd process creation with CommandLine containing 'ad group list', 'ad user get-member-groups', 'role assignment list'. Sysmon Event ID 3: Network connections to management.azure.com and graph.microsoft.com. Azure AD Audit Logs: 'List groups', 'List role assignments' operations. File creation events (Sysmon ID 11) for output files in TEMP directory.

  3. Test 3Enumerate AWS IAM Role Policies via AWS CLI

    Expected signal: Sysmon Event ID 1: PowerShell and aws.exe process creation events with CommandLine containing 'list-roles', 'list-role-policies', 'list-attached-role-policies', 'list-groups'. Sysmon Event ID 3: Outbound connections to iam.amazonaws.com (port 443). File creation events for output files. AWS CloudTrail: ListRoles, ListRolePolicies, ListAttachedRolePolicies, ListGroups API calls attributed to the IAM principal.

  4. Test 4Enumerate Azure AD Groups using Microsoft Graph PowerShell SDK

    Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Get-MgGroup', 'Get-MgDirectoryRole', 'Get-MgDirectoryRoleMember'. Sysmon Event ID 3: Outbound connections to graph.microsoft.com (port 443). PowerShell ScriptBlock Log Event ID 4104. Azure AD Audit Logs: 'List groups', 'List directory roles', 'List directory role members' operations. Sysmon Event ID 11: CSV file creation in TEMP directory.

Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1069.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1069Permission Groups Discovery

Related Sub-techniques

T1069.001Local GroupsT1069.002Domain Groups

Related Techniques

T1069Permission Groups DiscoveryT1069.001Local GroupsT1069.002Domain GroupsT1087.004Cloud AccountT1526Cloud Service DiscoveryT1078.004Cloud AccountsT1548.005Temporary Elevated Cloud AccessT1136.003Cloud AccountT1098.003Additional Cloud Roles

Same Tactic: Discovery

Popular Detections