T1087.004 IBM QRadar · QRadar

Detect Cloud Account in IBM QRadar

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. With authenticated access, tools such as Get-MsolRoleMember, az ad user list, aws iam list-users, aws iam list-roles, and gcloud iam service-accounts list can enumerate cloud accounts across Azure AD, AWS IAM, and GCP. Tools like ROADTools, AADInternals, AzureHound, and Pacu have been used by threat actors including APT29 and Storm-0501 to conduct this activity.

MITRE ATT&CK

Tactic
Discovery
Technique
T1087 Account Discovery
Sub-technique
T1087.004 Cloud Account
Canonical reference
https://attack.mitre.org/techniques/T1087/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  "CommandLine" AS CommandLine,
  "ParentCommandLine" AS ParentCommandLine,
  hostname AS Hostname,
  CASE
    WHEN LOWER("CommandLine") ILIKE '%get-msol%' OR LOWER("CommandLine") ILIKE '%get-azuread%'
         OR LOWER("CommandLine") ILIKE '%az ad %' OR LOWER("CommandLine") ILIKE '%az account %'
         OR LOWER("CommandLine") ILIKE '%aadinternals%' OR LOWER("CommandLine") ILIKE '%azurehound%'
         OR LOWER("CommandLine") ILIKE '%roadrecon%' THEN 'Azure/M365'
    WHEN LOWER("CommandLine") ILIKE '%aws iam%' THEN 'AWS'
    WHEN LOWER("CommandLine") ILIKE '%gcloud iam%' OR LOWER("CommandLine") ILIKE '%gcloud projects get-iam%'
         OR LOWER("CommandLine") ILIKE '%gcloud organizations%' THEN 'GCP'
    ELSE 'Multi/Unknown'
  END AS CloudPlatform,
  CASE
    WHEN LOWER("CommandLine") ILIKE '%invoke-azurehound%' OR LOWER("CommandLine") ILIKE '%roadrecon%'
         OR LOWER("CommandLine") ILIKE '%roadtools%' OR LOWER("CommandLine") ILIKE '%aadinternals%'
         OR LOWER("CommandLine") ILIKE '%get-aadint%' OR LOWER("CommandLine") ILIKE '%invoke-pacu%'
         OR LOWER("CommandLine") ILIKE '%pacu%' THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS Severity
FROM events
WHERE
  (
    LOWER("CommandLine") ILIKE '%get-msolrolemember%' OR
    LOWER("CommandLine") ILIKE '%get-msoluser%' OR
    LOWER("CommandLine") ILIKE '%get-azureaduser%' OR
    LOWER("CommandLine") ILIKE '%get-azaduser%' OR
    LOWER("CommandLine") ILIKE '%az ad user list%' OR
    LOWER("CommandLine") ILIKE '%az ad sp list%' OR
    LOWER("CommandLine") ILIKE '%az role assignment list%' OR
    LOWER("CommandLine") ILIKE '%az account list%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-users%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-roles%' OR
    LOWER("CommandLine") ILIKE '%aws iam list-groups%' OR
    LOWER("CommandLine") ILIKE '%aws iam get-account-authorization-details%' OR
    LOWER("CommandLine") ILIKE '%gcloud iam service-accounts list%' OR
    LOWER("CommandLine") ILIKE '%gcloud projects get-iam-policy%' OR
    LOWER("CommandLine") ILIKE '%gcloud organizations get-iam-policy%' OR
    LOWER("CommandLine") ILIKE '%get-msolgroupmember%' OR
    LOWER("CommandLine") ILIKE '%get-msolserviceprincipal%' OR
    LOWER("CommandLine") ILIKE '%invoke-azurehound%' OR
    LOWER("CommandLine") ILIKE '%roadrecon%' OR
    LOWER("CommandLine") ILIKE '%roadtools%' OR
    LOWER("CommandLine") ILIKE '%aadinternals%' OR
    LOWER("CommandLine") ILIKE '%get-aadint%' OR
    LOWER("CommandLine") ILIKE '%invoke-pacu%'
  )
ORDER BY deviceTime DESC
LAST 24 HOURS
high severity high confidence

IBM QRadar AQL query detecting cloud account enumeration using ILIKE pattern matching on CommandLine fields from Windows process event logs (Sysmon EventCode 1 or Windows Security EventCode 4688). Enriches results with CloudPlatform and Severity classifications via CASE expressions. Requires CommandLine and ParentCommandLine custom event properties mapped in QRadar.

Data Sources

IBM QRadar WinCollect agent (Sysmon EventCode 1)Windows Security Event Log via WinCollect (EventCode 4688)QRadar Universal DSM for endpoint process telemetry

Required Tables

events

False Positives & Tuning

  • Authorized cloud administrator scripts that periodically enumerate accounts for CMDB synchronization, user provisioning workflows, or license management reporting
  • Compliance automation tooling generating user access reports for SOC2 Type II, ISO 27001, or internal access certification campaigns
  • Cloud-native CI/CD pipelines (GitHub Actions, Azure DevOps, Jenkins) executing IAM validation or role verification steps during infrastructure-as-code deployments
Download portable Sigma rule (.yml)

Other platforms for T1087.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure AD User Enumeration via AZ CLI

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe or powershell.exe, CommandLine containing 'az ad user list'. The Azure AD Audit Log will record 'List users' operations attributed to the authenticated service principal or user.

  2. Test 2AWS IAM User and Role Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for each aws CLI invocation with CommandLine containing 'aws iam list-users', 'aws iam list-roles', and 'aws iam get-account-authorization-details'. Sysmon Event ID 11: File Create for iam_dump.json in TEMP directory. AWS CloudTrail will record ListUsers, ListRoles, GetAccountAuthorizationDetails API calls.

  3. Test 3Azure AD Enumeration via PowerShell MSOnline Module

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-MsolUser', 'Get-MsolRoleMember'. PowerShell ScriptBlock Log Event ID 4104 with full module import and cmdlet invocation. Sysmon Event ID 11: File Create for msol_users.csv. Azure AD Audit Logs will record 'List users' and 'Get member' operations.

  4. Test 4GCP IAM Service Account Enumeration

    Expected signal: Linux auditd or syslog: process execution of gcloud with arguments 'iam service-accounts list' and 'projects get-iam-policy'. GCP Cloud Audit Logs will record iam.serviceAccounts.list and cloudresourcemanager.projects.getIamPolicy Admin Activity operations attributed to the authenticated user or service account.

  5. Test 5Azure AD Enumeration via ROADTools (roadrecon)

    Expected signal: Sysmon Event ID 1: Process Create for pip install (python.exe) and roadrecon.exe invocations with 'auth' and 'gather' subcommands. Sysmon Event ID 11: File Create for roadrecon_output.db in TEMP directory. Network connections from python.exe to login.microsoftonline.com and graph.microsoft.com. Azure AD Audit Logs will show bulk 'List users', 'List groups', 'List applications' operations.

Last updated: 2026-04-13 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1087.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1087Account Discovery

Related Sub-techniques

T1087.001Local AccountT1087.002Domain AccountT1087.003Email Account

Related Techniques

T1087Account DiscoveryT1087.001Local AccountT1087.002Domain AccountT1069.003Cloud GroupsT1078.004Cloud AccountsT1530Data from Cloud StorageT1538Cloud Service DashboardT1526Cloud Service DiscoveryT1528Steal Application Access TokenT1136.003Cloud AccountT1098.001Additional Cloud CredentialsT1021.007Cloud Services

Same Tactic: Discovery

Popular Detections