AN1088: Analytic 1088
Use of AWS CLI (`aws iam list-users`, `list-roles`), Azure CLI (`az ad user list`), or GCP CLI (`gcloud iam service-accounts list`) from endpoints or cloud shells where such activity is unexpected.
Analyst context for executives and security teams
This analytic matters because cloud identity enumeration can be an early sign that someone is mapping users, roles, or service accounts before taking further action. For executives and security leaders, the decision point is whether the organization can distinguish normal cloud administration from unexpected IAM discovery across AWS, Azure, and GCP environments, including activity from endpoints and cloud shells.
Executive priority
Prioritize this as a cloud identity and SOC readiness validation item. The business risk is not the listing command by itself, but the possibility that unexpected IAM inventory activity reveals weak monitoring around cloud identities, privileged roles, and service accounts. Leaders should ask whether cloud administration activity is logged, centrally monitored, baselined, and reviewable as evidence for incident response and compliance readiness.
Technical view
AN1088 focuses on unexpected use of cloud provider CLIs to list IAM-related objects: AWS CLI commands such as listing IAM users or roles, Azure CLI user listing, and GCP CLI service-account listing. SOC and detection teams should validate visibility for CLI-driven IAM enumeration from both managed endpoints and cloud shell environments. Because ATT&CK provides no official detection logic and no relationship context here, teams should treat this as a detection-engineering prompt: define what is expected for administrators, automation, break-glass workflows, and CI/CD activity, then alert or hunt on activity outside those patterns.
Likely telemetry
- Cloud audit logs for IAM and directory enumeration events in AWS, Azure, and GCP
- Endpoint process execution telemetry showing cloud CLI use
- Cloud shell activity logs where available
- User, role, and service account identity context
- Source host, source IP, session, and authentication context
Detection direction
- Baseline normal IAM listing activity by administrator, automation account, endpoint, cloud shell, time, and source network.
- Tune detections for unexpected CLI-based enumeration rather than treating all list operations as malicious.
- Correlate cloud audit events with endpoint process execution when commands originate from workstations or servers.
- Review service accounts and automation identities carefully to avoid false positives from legitimate inventory, governance, or compliance jobs.
- Identify blind spots where cloud shell logging, endpoint command-line visibility, or cloud audit retention is incomplete.
Mitigation priorities
- Ensure cloud audit logging is enabled and retained for IAM and directory enumeration activity across supported IaaS environments.
- Centralize cloud and endpoint telemetry so SOC teams can correlate CLI execution with cloud-side events.
- Define authorized sources and identities for IAM inventory activity, including administrators, automation, and cloud shell use.
- Apply least-privilege review to identities that can enumerate sensitive IAM objects, while recognizing some read permissions may be operationally necessary.
- Document expected administrative workflows so incident responders can quickly separate approved discovery from suspicious activity.
Analyst notes and limits
The supplied object is a detection analytic, not a full ATT&CK technique. It has IaaS platform scope, no specified tactic, no official detection text, and no relationship context. The strongest use is as a validation checklist for cloud identity monitoring and detection coverage around unexpected IAM listing via common cloud CLIs.
Assessment depends on local baselines, logging configuration, endpoint visibility, and cloud shell audit availability. The source does not support claims about active exploitation, attribution, impact, prevalence, or guaranteed detection coverage.
Analytic 1088
Use of AWS CLI (`aws iam list-users`, `list-roles`), Azure CLI (`az ad user list`), or GCP CLI (`gcloud iam service-accounts list`) from endpoints or cloud shells where such activity is unexpected.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e9832ca62afa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1088Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.