T1538 Google Chronicle · YARA-L

Detect Cloud Service Dashboard in Google Chronicle

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.

MITRE ATT&CK

Tactic
Discovery
Technique
T1538 Cloud Service Dashboard
Canonical reference
https://attack.mitre.org/techniques/T1538/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1538_cloud_service_dashboard_suspicious_access {
  meta:
    author = "df00tech"
    description = "Detects suspicious cloud service dashboard access (T1538) via anomalous sign-ins to Azure Portal, AWS Management Console, or GCP Cloud Console with compound risk indicators"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1538"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-20"
    reference = "https://attack.mitre.org/techniques/T1538/"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    (
      $login.target.application in nocase (
        "Azure Portal",
        "Microsoft Azure Portal",
        "AWS Management Console",
        "Google Cloud Console",
        "Azure Active Directory Portal",
        "Microsoft 365 admin center"
      )
      or $login.metadata.product_name in nocase (
        "Azure Active Directory",
        "Amazon CloudTrail",
        "Google Cloud Identity"
      )
    )
    (
      $login.principal.location.country_or_region in (
        "China", "Russia", "North Korea", "Iran", "Belarus", "Cuba", "Syria"
      )
      or $login.security_result.severity in ("HIGH", "CRITICAL")
      or $login.extensions.auth.auth_details = "SINGLE_FACTOR"
      or $login.security_result.action = "BLOCK"
      or $login.target.user.attribute.roles.name = "Root"
    )
    $user = $login.principal.user.userid

  condition:
    $login
}
medium severity medium confidence

Chronicle YARA-L 2.0 rule detecting T1538 Cloud Service Dashboard access by matching USER_LOGIN UDM events to cloud console application names and filtering on compound risk signals: high-risk country origin, single-factor authentication, elevated security result severity, blocked access attempts, or root account usage. Requires cloud identity log ingestion via Chronicle forwarders.

Data Sources

Google Chronicle UDM (Azure AD via Chronicle forwarder or Bindplane)Google Chronicle UDM (AWS CloudTrail via Chronicle S3 ingestion)Google Chronicle UDM (GCP Cloud Identity and Access Management)

Required Tables

UDM USER_LOGIN event stream

False Positives & Tuning

  • Global enterprise users authenticating to cloud dashboards from high-risk geolocation codes due to regional business offices or partner network egress points in flagged countries
  • Security teams conducting tabletop exercises or red team operations that generate blocked or single-factor cloud console login events during authorized testing windows
  • Federated identity providers routing authentication through regions that appear as high-risk countries in geolocation databases due to IP space allocation mismatches
Download portable Sigma rule (.yml)

Other platforms for T1538

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)

    Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.

  2. Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)

    Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.

  3. Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)

    Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.

  4. Test 4GCP Cloud Console Asset Enumeration via gcloud CLI

    Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service DiscoveryT1613Container and Resource DiscoveryT1069.003Cloud GroupsT1580Cloud Infrastructure DiscoveryT1110.003Password SprayingT1621Multi-Factor Authentication Request Generation

Same Tactic: Discovery

Popular Detections