Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0386: Cloud Account Enumeration via API, CLI, and Scripting Interfaces

DET0386 is a detection strategy for finding cloud account enumeration performed through APIs, command-line tools, or scripts. Its business value is early v...

EnterpriseDET0386Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0386 is a detection strategy for finding cloud account enumeration performed through APIs, command-line tools, or scripts. Its business value is early visibility into identity discovery: an authenticated actor who can list cloud users, roles, or service accounts may be preparing privilege escalation, lateral movement, or targeted abuse of high-value accounts. For leaders, this is less about a single alert and more about whether the organization can prove it monitors identity discovery activity across IaaS, identity providers, Office suites, and SaaS environments.

Executive priority

Prioritize this where cloud identity is business-critical, privileged accounts administer production services, or compliance requires evidence of identity activity monitoring. Executives should ask whether cloud audit logs are retained, normalized, and reviewed for account and role enumeration; whether SOC playbooks distinguish legitimate administration from suspicious discovery; and whether incident responders can quickly identify who enumerated accounts, from where, and under what permissions.

Technical view

The supplied ATT&CK relationship says this detection strategy detects T1087.004 Cloud Account, a Discovery technique affecting IaaS, Identity Provider, Office Suite, and SaaS platforms. SOC and detection teams should validate monitoring for authenticated requests that list users, groups, roles, role members, service accounts, or similar account objects through cloud APIs, administrative CLIs, PowerShell modules, or scripted interfaces. Because MITRE provides no official detection text for this object, local implementation should be driven by each provider’s audit event names, normal administrative baselines, and correlation with identity context such as actor, role, source location, session type, and volume/frequency of enumeration.

Likely telemetry

  • Cloud control-plane audit logs for account, user, group, role, and role-membership listing activity
  • Identity provider audit logs showing directory or role enumeration
  • SaaS and Office suite administrative audit logs
  • API, CLI, PowerShell, and scripted access indicators where available in audit records
  • Authentication and session context including user, service principal, source IP, device, geolocation, and MFA/session attributes

Detection direction

  • Map provider-specific audit events that represent listing or reading cloud accounts, users, groups, roles, and memberships, then confirm they are ingested into the SIEM or detection platform.
  • Baseline expected enumeration by administrators, automation, identity governance tools, and support workflows to reduce false positives.
  • Look for unusual breadth, frequency, timing, source location, or tool/interface use by an authenticated principal, especially when inconsistent with that principal’s normal role.
  • Correlate enumeration with surrounding authentication events, privilege changes, failed access attempts, or access to sensitive cloud resources.
  • Validate coverage across the related ATT&CK platforms: IaaS, Identity Provider, Office Suite, and SaaS. Do not assume one cloud log source covers all identity surfaces.

Mitigation priorities

  • Ensure cloud and identity audit logging is enabled and retained for account, group, role, and membership read/list operations.
  • Apply least privilege so routine users and service principals cannot enumerate sensitive identity or role information beyond business need.
  • Review administrative and automation accounts for excessive directory-read or role-management permissions.
  • Require strong authentication and conditional access controls for administrative interfaces where applicable.
  • Maintain documented administrative baselines and change records so SOC teams can distinguish expected enumeration from suspicious discovery.
Analyst notes and limits

This object is a MITRE ATT&CK detection strategy, not a technique. The most useful context comes from its relationship to T1087.004 Cloud Account, which is a Discovery behavior involving cloud accounts across IaaS, identity provider, Office suite, and SaaS environments. The object name specifically references API, CLI, and scripting interfaces, so detection engineering should focus on authenticated cloud and identity audit evidence rather than network-only visibility.

The supplied STIX fields include no official description, no official detection text, no tactics, and no platforms directly on DET0386. Platform and tactic context is inferred only from the stated relationship to T1087.004. Provider-specific event names, thresholds, and control requirements must be validated against the local cloud, identity, SaaS, and logging environment.

Official MITRE ATT&CK definition

Cloud Account Enumeration via API, CLI, and Scripting Interfaces

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1087.004 Cloud Account Sub-technique This object detects Cloud Account.
Relationship explorer

All related ATT&CK context

detects · Technique T1087.004: Cloud Account Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
98c6bfd381873faa...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 98c6bfd38187…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0386
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use