Skip to content

DET0386 Cloud Account Enumeration via API, CLI, and Scripting Interfaces

Item Value
ID DET0386
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1087.004 (Cloud Account)

Analytics

Identity Provider

AN1087

Enumeration of identity roles and users via API calls such as Get-MsolRoleMember, az ad user list, or Graph API tokens from unauthorized users or automation accounts.

Log Sources
Data Component Name Channel
User Account Metadata (DC0013) Microsoft Entra ID Audit Logs RoleManagement.Read.Directory or Directory.Read.All
User Account Authentication (DC0002) azure:signinlogs Interactive/Non-Interactive Sign-In
Command Execution (DC0064) m365:defender Activity Log: Command Invocation
Mutable Elements
Field Description
TokenScope Flags excessive or abnormal use of directory read scopes by unexpected principals.
AppContext Differentiate authorized automation from rogue access tokens or external tools.
TimeWindow Trigger correlation across short bursts of high-volume enumeration.

IaaS

AN1088

Use of AWS CLI (aws iam list-users, list-roles), Azure CLI (az ad user list), or GCP CLI (gcloud iam service-accounts list) from endpoints or cloud shells where such activity is unexpected.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) AWS:CloudTrail AWS IAM: ListUsers, ListRoles
User Account Metadata (DC0013) azure:activity Azure CLI Operation: Microsoft.Graph/users/read
Mutable Elements
Field Description
CallerType Suppress known admin accounts and alert on developer/test/service identities.
CLIUserAgent Correlate unexpected CLI user-agents and geolocation anomalies.
CloudRegion Suppress noise from known IP ranges or whitelisted accounts per region.

Office Suite

AN1089

Bulk enumeration of cloud user email identities through Get-Recipient, Get-Mailbox, Get-User, or Graph API directory listings by abnormal accounts or suspicious sessions.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell CmdletName: Get-Recipient, Get-User
User Account Metadata (DC0013) Microsoft Graph API Logs users.list, directoryObjects.getByIds
Mutable Elements
Field Description
CmdletVolume Tune threshold for recipient/mailbox queries by volume per hour.
UserAgent Match known admin consoles and exclude sanctioned tools like MSOL PowerShell.
SessionContext Elevate sessions from unmanaged or external endpoints.

SaaS

AN1090

Access to organizational directories via Google Workspace Directory API, Slack SCIM, or Okta SCIM by apps or identities outside normal roles.

Log Sources
Data Component Name Channel
User Account Metadata (DC0013) Google Admin Audit users.list, groups.list
Application Log Content (DC0038) saas:okta System API Call: user.read, group.read
Mutable Elements
Field Description
APIRequestRate Detect rapid enumeration attempts or recursive group expansion.
AppIntegrationID Tag expected SCIM clients and suppress false positives from enterprise sync tools.
GeoContext Trigger alerts if enumeration occurs from anomalous IPs or regions.