Skip to content

DET0251 Behavioral Detection of Cloud Group Enumeration via API and CLI Access

Item Value
ID DET0251
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1069.003 (Cloud Groups)

Analytics

IaaS

AN0695

Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.

Log Sources
Data Component Name Channel
Group Enumeration (DC0099) AWS:CloudTrail ListGroups, ListAttachedRolePolicies
Mutable Elements
Field Description
UserContext Scope to anomalous IAM principals or assume-role usage.
TimeWindow Correlate enumeration activity within lateral movement prep windows.

Office Suite

AN0696

Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) m365:exchange Get-RoleGroup, Get-DistributionGroup
Group Metadata (DC0105) m365:sharepoint Enumerate ACLs/role bindings
Mutable Elements
Field Description
AccessScope Adjust based on tenant-level vs. site-level group visibility.
ScriptExecutionContext Detect script-based role listing (e.g., Graph API call chains).

SaaS

AN0697

Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.

Log Sources
Data Component Name Channel
Group Enumeration (DC0099) saas:salesforce GET /services/data/vXX.X/groups
Mutable Elements
Field Description
OrgScope Scope to cross-team access or unfamiliar org enumeration.
RequestRate Tuning for excessive group-list API calls.