1. Home
  2. Techniques
  3. Enterprise
  4. Command and Scripting Interpreter
  5. Cloud API

Command and Scripting Interpreter: Cloud API

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI
T1059.009 Cloud API
T1059.010 AutoHotKey & AutoIT
T1059.011 Lua
T1059.012 Hypervisor CLI
T1059.013 Container CLI/API

Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell[1], or software developer kits (SDKs) available for languages such as Python.

Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.

With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.

ID: T1059.009
Sub-technique of:  T1059
Tactic: Execution
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Contributors: Caio Silva; Jason Sevilla; Marcus Weeks; Nichols Jasper; Ozan Olali
Version: 1.2
Created: 17 March 2022
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0016 APT29

APT29 has leveraged the Microsoft Graph API to perform various actions across Azure and M365 environments. They have also utilized AADInternals PowerShell Modules to access the API [2]
S1091 Pacu

Pacu leverages the AWS CLI for its operations.[3]
G1053 Storm-0501

Storm-0501 has leveraged Cloud CLI to execute commands and exfiltrate data from compromised environments.[4]
G0139 TeamTNT

TeamTNT has leveraged AWS CLI to enumerate cloud environments with compromised credentials.[5]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Use application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources.
M1026 Privileged Account Management

Use of proper Identity and Access Management (IAM) with Role Based Access Control (RBAC) policies to limit actions administrators can perform and provide a history of administrative actions to detect unauthorized use and abuse.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0078 Behavioral Detection of Malicious Cloud API Scripting AN0215

Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.

References

  1. Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved March 24, 2023.
  2. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  3. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  1. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  2. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022.