Permission Groups Discovery: Cloud Groups

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.[1][2]

Azure CLI (AZ CLI) also provides an interface to obtain permissions groups with authenticated access to a domain. The command az ad user get-member-groups will list groups associated to a user account.[3][4]

ID: T1069.003
Sub-technique of:  T1069
Tactic: Discovery
Platforms: AWS, Azure, Azure AD, GCP, Office 365, SaaS
Permissions Required: User
Data Sources: API monitoring, AWS CloudTrail logs, Azure activity logs, GCP audit logs, Office 365 account logs, Process command-line parameters, Process monitoring, Stackdriver logs
Version: 1.1
Created: 21 February 2020
Last Modified: 08 October 2020


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.