title: Cloud Service Dashboard (T1538) id: df00tech-t1538 status: experimental description: "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets." references: - https://attack.mitre.org/techniques/T1538/ - https://df00tech.com/detections/T1538 author: df00tech date: 2026/04/20 tags: - attack.t1538 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: product: azure detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - Legitimate system administrators accessing cloud dashboards from travel locations or home offices with VPN egress IPs in unexpected geographic regions - Security operations teams conducting cloud configuration audits or compliance reviews using personal accounts that trigger risk signals - "Automated monitoring tools that use service accounts to access Azure Portal for health-check dashboards, generating sign-in log entries" - "Cloud contractors or third-party vendors accessing client environments from their own corporate IP ranges, which may appear anomalous to the tenant" - Azure AD Identity Protection false positives on risk scoring for users with atypical but legitimate travel or remote work patterns level: medium