Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0215: Analytic 0215

Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.

EnterpriseAN0215AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious use of cloud provider APIs in IaaS environments, especially when credentials, CLI/SDK tools, scripts, or browser-based Cloud Shell sessions are used to execute commands, control resources, or perform reconnaissance. For leaders, the practical issue is that cloud control-plane activity can change business-critical infrastructure quickly, sometimes without touching traditional endpoint controls.

Executive priority

Prioritize this as a cloud security and incident response readiness question: can the organization reconstruct who authenticated, from where, using what interface, and what privileged cloud API actions followed? The business value is in reducing uncertainty during cloud incidents, validating identity and access controls, and producing audit-ready evidence for privileged activity and resource changes in IaaS environments.

Technical view

SOC and detection engineering teams should validate visibility across cloud API audit logs, authentication context, CLI/SDK/scripted access indicators, Cloud Shell usage where available, and cross-service resource actions. Because ATT&CK provides no formal detection logic for this analytic, local implementation should focus on sequences such as authentication context shifts followed by privileged actions, unusual API call chains, anomalous service-to-service impact, or reconnaissance-like enumeration followed by control-plane changes.

Likely telemetry

  • Cloud control-plane/API audit logs for IaaS services
  • Authentication and session context, including token use and identity changes
  • Privileged action records for resource creation, modification, deletion, or command execution
  • CLI, SDK, scripting, and Cloud Shell usage indicators where logged
  • Source IP, user agent, geolocation, device, and session metadata associated with API calls

Detection direction

  • Validate that cloud API logging is enabled broadly enough to capture both reconnaissance and resource-control actions, not only high-severity administrative events.
  • Correlate authentication context shifts with subsequent privileged API calls, especially where a token or session begins performing actions outside its normal pattern.
  • Tune baselines by identity, role, service, source network, interface type, and expected automation behavior to reduce false positives from legitimate DevOps and infrastructure-as-code workflows.
  • Review blind spots around browser-based Cloud Shell activity, SDK-based automation, short-lived credentials, and cross-service action chains that may not appear suspicious when viewed one event at a time.
  • Because no ATT&CK relationships or tactics are supplied, avoid overfitting this analytic to a single technique; use it as a cloud control-plane behavior analytic.

Mitigation priorities

  • Ensure IaaS audit logging and retention are sufficient for investigation and compliance evidence.
  • Strengthen identity controls for cloud API access, including least privilege, privileged role review, and monitoring of session and token behavior.
  • Separate and document expected automation accounts, CI/CD roles, and administrative workflows so detections can distinguish normal scripted activity from anomalous API use.
  • Prepare incident response procedures for rapid review of cloud API actions, credential/session containment, and resource-change rollback decisions.
  • Regularly test whether SOC teams can trace Cloud Shell, CLI, SDK, and scripted activity back to accountable identities and business-approved use cases.
Analyst notes and limits

This is a detection analytic object, not a technique object. The supplied ATT&CK description supports a focus on IaaS cloud APIs, CLI/SDK/scripting abuse, stolen credentials or in-browser Cloud Shells, authentication-context shifts, privileged actions, reconnaissance, command execution, resource control, and cross-service impacts. No relationship context is supplied, so the take avoids mapping this analytic to specific ATT&CK techniques, groups, campaigns, or tactics.

Official detection logic is not provided, tactics are not specified, and no related objects were supplied. Any production detection must be validated against the organization’s specific cloud provider logging, identity model, automation patterns, and incident response requirements.

Official MITRE ATT&CK definition

Analytic 0215

Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0664fc895d6b5545...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0664fc895d6b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0215
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use