T1059.009: Cloud API
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell[1], or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
Analyst context for executives and security teams
Cloud API abuse matters because cloud control planes can execute changes across compute, storage, identity, networking, SaaS, office suites, and security policy. If an adversary obtains sufficient permissions through credentials, application access tokens, or web session cookies, normal administrative APIs, CLIs, PowerShell modules, SDKs, or browser cloud shells can become the execution path. For leaders, this shifts the question from “do we monitor servers?” to “can we prove who used cloud authority, from where, to do what, and whether that action was expected?”
Executive priority
Prioritize this as an identity and cloud control-plane risk. The business exposure is not limited to a single endpoint: privileged API use can affect tenant-wide services when permissions allow it. Executives should ask whether privileged account management, least privilege, logging, and incident response playbooks cover cloud APIs, cloud shells, automation identities, and SaaS/office-suite administrative actions. This technique is also useful for audit and compliance readiness because evidence of accountability depends on reliable API activity logging and privileged access governance.
Technical view
T1059.009 is an execution sub-technique of Command and Scripting Interpreter focused on cloud APIs across IaaS, Identity Provider, Office Suite, and SaaS platforms. SOC and IR teams should validate visibility into API-driven administrative actions performed through CLIs, PowerShell modules such as Azure PowerShell, SDKs, and browser-based cloud shells. Because MITRE does not provide official detection text for this object, detection engineering should use the related DET0078 strategy, Behavioral Detection of Malicious Cloud API Scripting, as a starting point and tune against local administrative baselines. Relationship context also shows use by APT29, TeamTNT, Storm-0501, Pacu, and TruffleHog, so defenders should consider both human and tool-driven cloud API activity without assuming any specific actor is present.
Likely telemetry
- Cloud control-plane audit logs for API calls and administrative actions
- Identity provider sign-in, token, session, and privileged role activity logs
- Cloud Shell usage records where available
- CLI, PowerShell, and SDK execution evidence from managed endpoints or cloud-hosted systems
- IAM permission changes, role assignments, service principal or application access activity
Detection direction
- Baseline normal cloud API usage by administrators, automation accounts, service principals, and cloud shell users before alerting on deviations.
- Correlate API actions with identity context, privilege level, source location, device posture, user agent, and recent authentication/session events.
- Watch for high-risk administrative API activity affecting IAM, compute, storage, networking, and security policy, especially when performed by newly privileged or unusual identities.
- Validate visibility for browser-based cloud shells as well as locally installed CLIs, PowerShell modules, and SDK-based access; these may appear different in logs but can drive similar cloud actions.
- Tune false positives around approved automation, CI/CD workflows, and scheduled administrative jobs so detections focus on unexpected scope, timing, source, or sequence of actions.
Mitigation priorities
- Start with privileged account management: enforce least privilege, role-based access control, scoped permissions, monitoring, logging, and accountability for privileged cloud and SaaS accounts.
- Review and constrain application access tokens, web session cookie exposure, service principals, and automation identities that can call cloud APIs with administrative authority.
- Limit or govern access to cloud shells, CLIs, PowerShell modules, and SDKs where business need does not justify broad use.
- Apply execution prevention on managed systems where appropriate to restrict unauthorized scripts, tools, or binaries used to invoke cloud APIs.
- Ensure incident response procedures include rapid review and containment of cloud API sessions, tokens, privileged roles, and recent tenant configuration changes.
Analyst notes and limits
This object is especially important for organizations where cloud administration, SaaS management, and identity operations are heavily automated. The main defensive decision is whether the organization can distinguish expected administrative automation from suspicious API-driven execution. The supplied ATT&CK relationships support focusing on privileged account management and execution prevention, and show relevant group/software context, but they do not prove activity in any specific environment.
MITRE provides no official detection text for this technique in the supplied fields. Specific provider log names, event IDs, and implementation steps are not included in the source object and should be derived from the organization’s actual IaaS, identity provider, office suite, and SaaS platforms. Coverage cannot be assumed without validating log collection, retention, identity correlation, and cloud shell/API visibility.
Cloud API
Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell[1], or software developer kits (SDKs) available for languages such as Python.
Cloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.
With proper permissions (often via use of credentials such as Application Access Token and Web Session Cookie), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter | This object subtechnique of Command and Scripting Interpreter. |
Groups, software, and campaigns
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
G0139: TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S9009: TruffleHog
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]
S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | af21737e0e45… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft - Azure PowerShell
Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved March 24, 2023.
Open source URL -
[2]
mitre-attack T1059.009Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.