title: Cloud Account (T1087.004)
id: df00tech-t1087-004
status: experimental
description: "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. With authenticated access, tools such as Get-MsolRoleMember, az ad user list, aws iam list-users, aws iam list-roles, and gcloud iam service-accounts list can enumerate cloud accounts across Azure AD, AWS IAM, and GCP. Tools like ROADTools, AADInternals, AzureHound, and Pacu have been used by threat actors including APT29 and Storm-0501 to conduct this activity."
references:
  - https://attack.mitre.org/techniques/T1087/004/
  - https://df00tech.com/detections/T1087.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1087.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators running legitimate user audits or access reviews using AZ CLI, AWS CLI, or PowerShell modules"
  - Security teams running authorized Identity Governance assessments or access certifications
  - Automated scripts for user provisioning/deprovisioning that enumerate existing accounts before making changes
  - Cloud cost optimization or compliance tooling that enumerates IAM resources for reporting
  - DevOps pipeline scripts that validate service account existence before deployment
level: medium