T1087.004

Cloud Account

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. With authenticated access, tools such as Get-MsolRoleMember, az ad user list, aws iam list-users, aws iam list-roles, and gcloud iam service-accounts list can enumerate cloud accounts across Azure AD, AWS IAM, and GCP. Tools like ROADTools, AADInternals, AzureHound, and Pacu have been used by threat actors including APT29 and Storm-0501 to conduct this activity.

Microsoft Sentinel / Defender

kusto

let CloudEnumPatterns = dynamic([
  "Get-MsolRoleMember", "Get-MsolUser", "Get-AzureADUser", "Get-AzADUser",
  "az ad user list", "az ad sp list", "az role assignment list", "az account list",
  "aws iam list-users", "aws iam list-roles", "aws iam list-groups", "aws iam get-account-authorization-details",
  "gcloud iam service-accounts list", "gcloud projects get-iam-policy", "gcloud organizations get-iam-policy",
  "Get-MsolGroupMember", "Get-MsolServicePrincipal",
  "Invoke-AzureHound", "roadrecon", "roadtools",
  "AADInternals", "Get-AADIntUsers", "Get-AADIntTenantDetails",
  "Invoke-Pacu", "pacu"
]);
let SuspiciousChildProcesses = dynamic(["powershell.exe", "pwsh.exe", "cmd.exe", "python.exe", "python3"]);
// Detection 1: Process-based cloud enumeration commands
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (SuspiciousChildProcesses)
| where ProcessCommandLine has_any (CloudEnumPatterns)
| extend CloudPlatform = case(
    ProcessCommandLine has_any ("Get-Msol", "Get-AzureAD", "Get-Az", "az ad", "az account", "AADInternals", "AzureHound", "roadrecon"), "Azure/M365",
    ProcessCommandLine has_any ("aws iam"), "AWS",
    ProcessCommandLine has_any ("gcloud iam", "gcloud projects", "gcloud organizations"), "GCP",
    "Unknown"
  )
| extend ToolCategory = case(
    ProcessCommandLine has_any ("Invoke-AzureHound", "roadrecon", "roadtools", "AADInternals", "Get-AADInt", "Invoke-Pacu", "pacu"), "KnownOffensiveTool",
    ProcessCommandLine has_any ("Get-MsolRoleMember", "Get-MsolUser", "az ad user list", "aws iam list-users", "gcloud iam service-accounts list"), "BuiltInEnumeration",
    "Other"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         CloudPlatform, ToolCategory
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running legitimate user audits or access reviews using AZ CLI, AWS CLI, or PowerShell modules
Security teams running authorized Identity Governance assessments or access certifications
Automated scripts for user provisioning/deprovisioning that enumerate existing accounts before making changes
Cloud cost optimization or compliance tooling that enumerates IAM resources for reporting
DevOps pipeline scripts that validate service account existence before deployment

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe")
| eval CommandLine=lower(CommandLine)
| eval AzureEnum=if(match(CommandLine, "(get-msolrolemember|get-msoluser|get-azureaduser|get-azaduser|az\s+ad\s+user\s+list|az\s+ad\s+sp\s+list|az\s+role\s+assignment\s+list|az\s+account\s+list|get-msolserviceprincipal|get-msolgroup)"), 1, 0)
| eval AWSEnum=if(match(CommandLine, "(aws\s+iam\s+list-users|aws\s+iam\s+list-roles|aws\s+iam\s+list-groups|aws\s+iam\s+get-account-authorization-details|aws\s+iam\s+list-attached)"), 1, 0)
| eval GCPEnum=if(match(CommandLine, "(gcloud\s+iam\s+service-accounts\s+list|gcloud\s+projects\s+get-iam-policy|gcloud\s+organizations\s+get-iam-policy)"), 1, 0)
| eval OffensiveTool=if(match(CommandLine, "(invoke-azurehound|azurehound|roadrecon|roadtools|aadinternals|get-aadint|invoke-pacu|pacu)"), 1, 0)
| eval TotalScore=AzureEnum + AWSEnum + GCPEnum + OffensiveTool
| where TotalScore > 0
| eval CloudPlatform=case(
    AzureEnum=1, "Azure/M365",
    AWSEnum=1, "AWS",
    GCPEnum=1, "GCP",
    OffensiveTool=1, "Multi/Unknown",
    1=1, "Unknown"
  )
| eval Severity=if(OffensiveTool=1, "HIGH", "MEDIUM")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, CloudPlatform, AzureEnum, AWSEnum, GCPEnum, OffensiveTool, Severity
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running legitimate user audits or access reviews using AZ CLI, AWS CLI, or PowerShell modules
Security teams running authorized Identity Governance assessments or access certifications
Automated scripts for user provisioning/deprovisioning that enumerate existing accounts before making changes
Cloud cost optimization or compliance tooling that enumerates IAM resources for reporting
DevOps pipeline scripts that validate service account existence before deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "CommandLine" AS CommandLine,
  "ParentCommandLine" AS ParentCommandLine,
  hostname AS Hostname,
  CASE
    WHEN LOWER("CommandLine") ILIKE '%get-msol%' OR LOWER("CommandLine") ILIKE '%get-azuread%'
         OR LOWER("CommandLine") ILIKE '%az ad %' OR LOWER("CommandLine") ILIKE '%az account %'
         OR LOWER("CommandLine") ILIKE '%aadinternals%' OR LOWER("CommandLine") ILIKE '%azurehound%'
         OR LOWER("CommandLine") ILIKE '%roadrecon%' THEN 'Azure/M365'
    WHEN LOWER("CommandLine") ILIKE '%aws iam%' THEN 'AWS'
    WHEN LOWER("CommandLine") ILIKE '%gcloud iam%' OR LOWER("CommandLine") ILIKE '%gcloud projects get-iam%'
         OR LOWER("CommandLine") ILIKE '%gcloud organizations%' THEN 'GCP'
    ELSE 'Multi/Unknown'
  END AS CloudPlatform,
  CASE
    WHEN LOWER("CommandLine") ILIKE '%invoke-azurehound%' OR LOWER("CommandLine") ILIKE '%roadrecon%'
         OR LOWER("CommandLine") ILIKE '%roadtools%' OR LOWER("CommandLine") ILIKE '%aadinternals%'
         OR LOWER("CommandLine") ILIKE '%get-aadint%' OR LOWER("CommandLine") ILIKE '%invoke-pacu%'
         OR LOWER("CommandLine") ILIKE '%pacu%' THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS Severity
FROM events
WHERE
  (
    LOWER("CommandLine") ILIKE '%get-msolrolemember%' OR
    LOWER("CommandLine") ILIKE '%get-msoluser%' OR
    LOWER("CommandLine") ILIKE '%get-azureaduser%' OR
    LOWER("CommandLine") ILIKE '%get-azaduser%' OR
    LOWER("CommandLine") ILIKE '%az ad user list%' OR
    LOWER("CommandLine") ILIKE '%az ad sp list%' OR
    LOWER("CommandLine") ILIKE '%az role assignment list%' OR
    LOWER("CommandLine") ILIKE '%az account list%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-users%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-roles%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-groups%' OR
    LOWER("CommandLine") ILIKE '%aws iam get-account-authorization-details%' OR
    LOWER("CommandLine") ILIKE '%gcloud iam service-accounts list%' OR
    LOWER("CommandLine") ILIKE '%gcloud projects get-iam-policy%' OR
    LOWER("CommandLine") ILIKE '%gcloud organizations get-iam-policy%' OR
    LOWER("CommandLine") ILIKE '%get-msolgroupmember%' OR
    LOWER("CommandLine") ILIKE '%get-msolserviceprincipal%' OR
    LOWER("CommandLine") ILIKE '%invoke-azurehound%' OR
    LOWER("CommandLine") ILIKE '%roadrecon%' OR
    LOWER("CommandLine") ILIKE '%roadtools%' OR
    LOWER("CommandLine") ILIKE '%aadinternals%' OR
    LOWER("CommandLine") ILIKE '%get-aadint%' OR
    LOWER("CommandLine") ILIKE '%invoke-pacu%'
  )
ORDER BY deviceTime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar WinCollect agent (Sysmon EventCode 1) Windows Security Event Log via WinCollect (EventCode 4688) QRadar Universal DSM for endpoint process telemetry

Required Tables

events

False Positives

Authorized cloud administrator scripts that periodically enumerate accounts for CMDB synchronization, user provisioning workflows, or license management reporting
Compliance automation tooling generating user access reports for SOC2 Type II, ISO 27001, or internal access certification campaigns
Cloud-native CI/CD pipelines (GitHub Actions, Azure DevOps, Jenkins) executing IAM validation or role verification steps during infrastructure-as-code deployments

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode = 1 OR EventCode = 4688
| where !(isNull(CommandLine))
| where CommandLine matches /(?i).*(Get-MsolRoleMember|Get-MsolUser|Get-AzureADUser|Get-AzADUser|az\s+ad\s+user\s+list|az\s+ad\s+sp\s+list|az\s+role\s+assignment\s+list|az\s+account\s+list|aws\s+iam\s+list-users|aws\s+iam\s+list-roles|aws\s+iam\s+list-groups|aws\s+iam\s+get-account-authorization-details|gcloud\s+iam\s+service-accounts\s+list|gcloud\s+projects\s+get-iam-policy|gcloud\s+organizations\s+get-iam-policy|Get-MsolGroupMember|Get-MsolServicePrincipal|Invoke-AzureHound|roadrecon|roadtools|AADInternals|Get-AADInt|Invoke-Pacu|\bpacu\b).*/
| eval cmd_lower = toLowerCase(CommandLine)
| eval CloudPlatform = if(cmd_lower matches /(?i).*(get-msol|get-azuread|get-az|az\s+ad|az\s+account|aadinternals|azurehound|roadrecon).*/, "Azure/M365", if(cmd_lower matches /(?i).*aws\s+iam.*/, "AWS", if(cmd_lower matches /(?i).*(gcloud\s+iam|gcloud\s+projects|gcloud\s+organizations).*/, "GCP", "Multi/Unknown")))
| eval IsOffensiveTool = if(cmd_lower matches /(?i).*(invoke-azurehound|roadrecon|roadtools|aadinternals|get-aadint|invoke-pacu|\bpacu\b).*/, "true", "false")
| eval Severity = if(IsOffensiveTool = "true", "HIGH", "MEDIUM")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, CloudPlatform, IsOffensiveTool, Severity
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Security) Sysmon for Windows via Sumo Logic Installed Collector Sumo Logic OpenTelemetry Collector with hostmetrics/windowseventlog receiver

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winlogbeat*

False Positives

IT operations teams running scheduled scripts to export cloud user inventories for HR offboarding processes, license reclamation, or stale account cleanup automation
Cloud FinOps or cost management platforms (Apptio, CloudHealth) that enumerate IAM roles and service accounts to correlate resource ownership with billing data
Penetration testers or red team operators with authorized engagement scope running from monitored endpoints — validate against approved change tickets and test IP allowlists before escalating

Google Chronicle / SecOps

yaral

rule t1087_004_cloud_account_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects cloud account enumeration via scripting interpreters targeting Azure AD, AWS IAM, GCP IAM, and offensive frameworks (AzureHound, ROADtools, Pacu, AADInternals)"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1087.004"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /powershell\.exe$|pwsh\.exe$|cmd\.exe$|python3?\.exe$/ nocase
    $e.target.process.command_line = /Get-MsolRoleMember|Get-MsolUser|Get-AzureADUser|Get-AzADUser|Get-MsolGroupMember|Get-MsolServicePrincipal|az\s+ad\s+user\s+list|az\s+ad\s+sp\s+list|az\s+role\s+assignment\s+list|az\s+account\s+list|aws\s+iam\s+list-users|aws\s+iam\s+list-roles|aws\s+iam\s+list-groups|aws\s+iam\s+get-account-authorization-details|gcloud\s+iam\s+service-accounts\s+list|gcloud\s+projects\s+get-iam-policy|gcloud\s+organizations\s+get-iam-policy|Invoke-AzureHound|roadrecon|roadtools|AADInternals|Get-AADInt|Invoke-Pacu/ nocase

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle Forwarder (Windows Event Logs via Sysmon/Security) Google Workspace Chronicle integration CrowdStrike Falcon telemetry via Chronicle UDM ingestion Carbon Black EDR via Chronicle UDM

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Cloud infrastructure automation tools such as Terraform, Pulumi, or Ansible executing IAM enumeration during state reconciliation, drift detection, or infrastructure provisioning on monitored hosts
Security operations center analysts running cloud account audits with administrative PowerShell on dedicated privileged access workstations (PAWs) during quarterly access review cycles
Automated employee onboarding or offboarding workflows in HR platforms (ServiceNow, Workday integrations) invoking az/aws/gcloud CLIs to manage user lifecycle events from orchestration servers

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(powershell|pwsh|cmd|python3?)\.exe$/i
| CommandLine = /Get-MsolRoleMember|Get-MsolUser|Get-AzureADUser|Get-AzADUser|Get-MsolGroupMember|Get-MsolServicePrincipal|az\s+ad\s+user\s+list|az\s+ad\s+sp\s+list|az\s+role\s+assignment\s+list|az\s+account\s+list|aws\s+iam\s+list-users|aws\s+iam\s+list-roles|aws\s+iam\s+list-groups|aws\s+iam\s+get-account-authorization-details|gcloud\s+iam\s+service-accounts\s+list|gcloud\s+projects\s+get-iam-policy|gcloud\s+organizations\s+get-iam-policy|Invoke-AzureHound|roadrecon|roadtools|AADInternals|Get-AADInt|Invoke-Pacu|\bpacu\b/i
| CloudPlatform := if(CommandLine = /(?i)(Get-Msol|Get-AzureAD|Get-AzAD|az\s+ad|az\s+account|AADInternals|AzureHound|roadrecon)/, "Azure/M365", if(CommandLine = /(?i)aws\s+iam/, "AWS", if(CommandLine = /(?i)(gcloud\s+iam|gcloud\s+projects|gcloud\s+organizations)/, "GCP", "Multi/Unknown")))
| IsOffensiveTool := if(CommandLine = /(?i)(Invoke-AzureHound|roadrecon|roadtools|AADInternals|Get-AADInt|Invoke-Pacu|\bpacu\b)/, "true", "false")
| Severity := if(IsOffensiveTool = "true", "HIGH", "MEDIUM")
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, CloudPlatform, IsOffensiveTool, Severity])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR sensor (ProcessRollup2 event stream) CrowdStrike Falcon agent on Windows endpoints with full process telemetry enabled

Required Tables

ProcessRollup2 (#event_simpleName)

False Positives

System administrators using Falcon-monitored endpoints to run az, aws, or gcloud CLI commands for routine IAM management, access reviews, or cloud infrastructure maintenance tasks
Cloud engineers executing interactive PowerShell sessions with Az/AzureAD modules from developer workstations that are protected by the Falcon sensor
Authorized red team or internal penetration test activity on Falcon-monitored systems — verify against pre-authorized testing windows and scope documents before escalating to IR

Last updated: 2026-04-13 Research depth: deep

References (14)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Cloud Account

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Discovery

Popular Detections