Detect Cloud Account in Sumo Logic CSE
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. With authenticated access, tools such as Get-MsolRoleMember, az ad user list, aws iam list-users, aws iam list-roles, and gcloud iam service-accounts list can enumerate cloud accounts across Azure AD, AWS IAM, and GCP. Tools like ROADTools, AADInternals, AzureHound, and Pacu have been used by threat actors including APT29 and Storm-0501 to conduct this activity.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1087 Account Discovery
- Sub-technique
- T1087.004 Cloud Account
- Canonical reference
- https://attack.mitre.org/techniques/T1087/004/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where EventCode = 1 OR EventCode = 4688
| where !(isNull(CommandLine))
| where CommandLine matches /(?i).*(Get-MsolRoleMember|Get-MsolUser|Get-AzureADUser|Get-AzADUser|az\s+ad\s+user\s+list|az\s+ad\s+sp\s+list|az\s+role\s+assignment\s+list|az\s+account\s+list|aws\s+iam\s+list-users|aws\s+iam\s+list-roles|aws\s+iam\s+list-groups|aws\s+iam\s+get-account-authorization-details|gcloud\s+iam\s+service-accounts\s+list|gcloud\s+projects\s+get-iam-policy|gcloud\s+organizations\s+get-iam-policy|Get-MsolGroupMember|Get-MsolServicePrincipal|Invoke-AzureHound|roadrecon|roadtools|AADInternals|Get-AADInt|Invoke-Pacu|\bpacu\b).*/
| eval cmd_lower = toLowerCase(CommandLine)
| eval CloudPlatform = if(cmd_lower matches /(?i).*(get-msol|get-azuread|get-az|az\s+ad|az\s+account|aadinternals|azurehound|roadrecon).*/, "Azure/M365", if(cmd_lower matches /(?i).*aws\s+iam.*/, "AWS", if(cmd_lower matches /(?i).*(gcloud\s+iam|gcloud\s+projects|gcloud\s+organizations).*/, "GCP", "Multi/Unknown")))
| eval IsOffensiveTool = if(cmd_lower matches /(?i).*(invoke-azurehound|roadrecon|roadtools|aadinternals|get-aadint|invoke-pacu|\bpacu\b).*/, "true", "false")
| eval Severity = if(IsOffensiveTool = "true", "HIGH", "MEDIUM")
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, CloudPlatform, IsOffensiveTool, Severity
| sort by _messageTime descSumo Logic search query detecting cloud account enumeration by matching process command lines in Windows Sysmon (EventCode 1) and Security (EventCode 4688) logs. Uses regex matching to identify Azure AD, AWS IAM, and GCP enumeration patterns with eval-based enrichment for cloud platform classification and offensive tool flagging.
Data Sources
Required Tables
False Positives & Tuning
- IT operations teams running scheduled scripts to export cloud user inventories for HR offboarding processes, license reclamation, or stale account cleanup automation
- Cloud FinOps or cost management platforms (Apptio, CloudHealth) that enumerate IAM roles and service accounts to correlate resource ownership with billing data
- Penetration testers or red team operators with authorized engagement scope running from monitored endpoints — validate against approved change tickets and test IP allowlists before escalating
Other platforms for T1087.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD User Enumeration via AZ CLI
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe or powershell.exe, CommandLine containing 'az ad user list'. The Azure AD Audit Log will record 'List users' operations attributed to the authenticated service principal or user.
- Test 2AWS IAM User and Role Enumeration
Expected signal: Sysmon Event ID 1: Process Create for each aws CLI invocation with CommandLine containing 'aws iam list-users', 'aws iam list-roles', and 'aws iam get-account-authorization-details'. Sysmon Event ID 11: File Create for iam_dump.json in TEMP directory. AWS CloudTrail will record ListUsers, ListRoles, GetAccountAuthorizationDetails API calls.
- Test 3Azure AD Enumeration via PowerShell MSOnline Module
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-MsolUser', 'Get-MsolRoleMember'. PowerShell ScriptBlock Log Event ID 4104 with full module import and cmdlet invocation. Sysmon Event ID 11: File Create for msol_users.csv. Azure AD Audit Logs will record 'List users' and 'Get member' operations.
- Test 4GCP IAM Service Account Enumeration
Expected signal: Linux auditd or syslog: process execution of gcloud with arguments 'iam service-accounts list' and 'projects get-iam-policy'. GCP Cloud Audit Logs will record iam.serviceAccounts.list and cloudresourcemanager.projects.getIamPolicy Admin Activity operations attributed to the authenticated user or service account.
- Test 5Azure AD Enumeration via ROADTools (roadrecon)
Expected signal: Sysmon Event ID 1: Process Create for pip install (python.exe) and roadrecon.exe invocations with 'auth' and 'gather' subcommands. Sysmon Event ID 11: File Create for roadrecon_output.db in TEMP directory. Network connections from python.exe to login.microsoftonline.com and graph.microsoft.com. Azure AD Audit Logs will show bulk 'List users', 'List groups', 'List applications' operations.
References (14)
- https://attack.mitre.org/techniques/T1087/004/
- https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
- https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
- https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list
- https://github.com/True-Demon/raindance
- https://dirkjanm.io/introducing-roadtools-framework/
- https://o365blog.com/aadinternals/
- https://github.com/BloodHoundAD/AzureHound
- https://github.com/RhinoSecurityLabs/pacu
- https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
- https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.004/T1087.004.md
Unlock Pro Content
Get the full detection package for T1087.004 including response playbook, investigation guide, and atomic red team tests.