title: Cloud API (T1059.009)
id: df00tech-t1059-009
status: experimental
description: "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through CLIs (aws, az, gcloud), in-browser Cloud Shells, PowerShell modules, or SDKs. With proper permissions, adversaries may abuse cloud APIs to invoke functions across compute, storage, IAM, networking, and security services. APT29 has leveraged the Microsoft Graph API, TeamTNT has used AWS CLI with compromised credentials, and Storm-0501 has used cloud CLI for data exfiltration."
references:
  - https://attack.mitre.org/techniques/T1059/009/
  - https://df00tech.com/detections/T1059.009
author: df00tech
date: 2026/04/17
tags:
  - attack.t1059.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Cloud administrators creating IAM users and roles during onboarding or infrastructure provisioning
  - "Infrastructure-as-Code tools (Terraform, CloudFormation, Pulumi) creating cloud resources programmatically"
  - CI/CD pipelines deploying Lambda functions or updating compute resources
level: high