title: Cloud Groups (T1069.003)
id: df00tech-t1069-003
status: experimental
description: "Adversaries may attempt to find cloud groups and permission settings to understand role assignments, privilege levels, and group memberships within a cloud environment. Tools such as Get-MsolRole (Office 365), az ad user get-member-groups (Azure CLI), ROADTools, AADInternals, and Pacu are used to enumerate cloud identity groups. In AWS, ListRolePolicies and ListAttachedRolePolicies enumerate role policies. Adversaries use this information to identify privileged accounts, determine lateral movement paths, and select targets for privilege escalation."
references:
  - https://attack.mitre.org/techniques/T1069/003/
  - https://df00tech.com/detections/T1069.003
author: df00tech
date: 2026/04/17
tags:
  - attack.t1069.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing routine group membership audits or access reviews using AzureAD PowerShell module
  - Microsoft Entra ID Governance access reviews that programmatically list group memberships
  - "SIEM or CSPM tools (Defender for Cloud, Prisma Cloud) that periodically enumerate groups for compliance checks"
  - HR onboarding automation scripts that query group memberships to provision or deprovision user access
  - Azure DevOps pipelines with service principals that enumerate role assignments for deployment validation
level: medium