Detect Cloud Service Dashboard in CrowdStrike LogScale
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1538 Cloud Service Dashboard
- Canonical reference
- https://attack.mitre.org/techniques/T1538/
LogScale Detection Query
// Detect cloud service dashboard access via Falcon endpoint DNS telemetry
// Identifies hosts making repeated DNS lookups to major cloud provider console hostnames
#event_simpleName = "DnsRequest"
| filter(DomainName = /(?i)(console\.aws\.amazon\.com|signin\.aws\.amazon\.com|portal\.azure\.com|aad\.portal\.azure\.com|console\.cloud\.google\.com|admin\.microsoft\.com|devops\.azure\.com)/)
| groupBy([aid, UserName, ComputerName], function=[
count(as=DnsRequestCount),
collect(DomainName, as=CloudDomainsAccessed),
min(@timestamp, as=FirstAccessMs),
max(@timestamp, as=LastAccessMs)
])
| eval SessionDurationMinutes = (LastAccessMs - FirstAccessMs) / 60000
| where DnsRequestCount > 5
| sort(DnsRequestCount, order=desc)
| select([ComputerName, UserName, CloudDomainsAccessed, DnsRequestCount, SessionDurationMinutes, FirstAccessMs, LastAccessMs])CrowdStrike LogScale query detecting T1538 Cloud Service Dashboard access by aggregating Falcon endpoint DnsRequest events for major cloud provider console hostnames (AWS, Azure, GCP). Flags hosts with repeated DNS lookups to cloud dashboards, grouping by user and endpoint to surface sustained browsing sessions. Best combined with Falcon Identity Protection alerts for authentication context.
Data Sources
Required Tables
False Positives & Tuning
- DevOps engineers and cloud architects making frequent DNS lookups to cloud provider consoles during routine infrastructure management, deployments, and monitoring activities
- Automated scripts, Terraform runs, or infrastructure-as-code pipelines generating sustained DNS resolution bursts to cloud console domains as part of legitimate provisioning workflows
- Security monitoring tools or SIEM health-check agents polling cloud provider console URLs for availability checks, generating high-volume DNS request patterns that exceed thresholds
Other platforms for T1538
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)
Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.
- Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)
Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.
- Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)
Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.
- Test 4GCP Cloud Console Asset Enumeration via gcloud CLI
Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.
References (8)
- https://attack.mitre.org/techniques/T1538/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
- https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-about.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1538/T1538.md
Unlock Pro Content
Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.