1. Home
  2. Techniques
  3. Enterprise
  4. Account Discovery
  5. Cloud Account

Account Discovery: Cloud Account

ID Name
T1087.001 Local Account
T1087.002 Domain Account
T1087.003 Email Account
T1087.004 Cloud Account

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.[1][2] The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.[3][4]

The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.[5][6] In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.[7]

ID: T1087.004
Sub-technique of:  T1087
Tactic: Discovery
Platforms: IaaS, Identity Provider, Office Suite, SaaS
Contributors: Praetorian
Version: 1.3
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can enumerate Azure AD users.[8]
G0016 APT29

APT29 has conducted enumeration of Azure AD accounts.[9]
C0027 C0027

During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.[10]
S1091 Pacu

Pacu can enumerate IAM users, roles, and groups. [11]
S0684 ROADTools

ROADTools can enumerate Azure AD users.[12]
G1053 Storm-0501

Storm-0501 has conducted enumeration of users, roles, and resources within victim Azure tenants using the tool Azurehound.[13]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
M1018 User Account Management

Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0386 Cloud Account Enumeration via API, CLI, and Scripting Interfaces AN1087

Enumeration of identity roles and users via API calls such as Get-MsolRoleMember, az ad user list, or Graph API tokens from unauthorized users or automation accounts.
AN1088

Use of AWS CLI (aws iam list-users, list-roles), Azure CLI (az ad user list), or GCP CLI (gcloud iam service-accounts list) from endpoints or cloud shells where such activity is unexpected.
AN1089

Bulk enumeration of cloud user email identities through Get-Recipient, Get-Mailbox, Get-User, or Graph API directory listings by abnormal accounts or suspicious sessions.
AN1090

Access to organizational directories via Google Workspace Directory API, Slack SCIM, or Okta SCIM by apps or identities outside normal roles.

References

  1. Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
  2. Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
  3. Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
  4. Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
  5. Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
  6. Amazon. (n.d.). List Users. Retrieved August 11, 2020.
  7. Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
  1. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  2. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  3. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  4. Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
  5. Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022.
  6. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.