1. Home
  2. Techniques
  3. Enterprise
  4. Permission Groups Discovery
  5. Cloud Groups

Permission Groups Discovery: Cloud Groups

ID Name
T1069.001 Local Groups
T1069.002 Domain Groups
T1069.003 Cloud Groups

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts [1][2].

Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.[3][4][5] In AWS, the commands ListRolePolicies and ListAttachedRolePolicies allow users to enumerate the policies attached to a role.[6]

Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API [7]. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

ID: T1069.003
Sub-technique of:  T1069
Tactic: Discovery
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Contributors: Isif Ibrahima, Mandiant; Regina Elwell
Version: 1.5
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can enumerate Azure AD groups.[8]
C0027 C0027

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.[9]
S1091 Pacu

Pacu can enumerate IAM permissions.[10]
S0684 ROADTools

ROADTools can enumerate Azure AD groups.[11]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0251 Behavioral Detection of Cloud Group Enumeration via API and CLI Access AN0695

Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.
AN0696

Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.
AN0697

Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.

References

  1. Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.
  2. Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
  3. Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
  4. Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
  5. Google. (n.d.). Retrieved March 16, 2021.
  6. Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
  1. Amazon Web Services. (n.d.). Retrieved May 28, 2021.
  2. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  3. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  4. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  5. Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.