T1069.003: Cloud Groups
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts [1][2].
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.[3][4][5] In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.[6]
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API [7]. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.
Analyst context for executives and security teams
Cloud Groups is a discovery behavior where an authenticated user or workload queries cloud, identity, SaaS, or office-suite group memberships, roles, policies, or object ACLs. For leaders, the issue is not the query alone; it is that group and permission visibility can help an intruder identify privileged users, sensitive resources, and viable paths for follow-on access.
Executive priority
Prioritize this as an identity and cloud readiness question: can the organization tell the difference between normal administration and suspicious enumeration of roles, groups, policies, and object access? This matters for incident scoping, least-privilege validation, audit evidence, and cloud resilience because discovery of permission structure often precedes more targeted activity. ATT&CK provides no official detection text for this technique, so leadership should ask whether cloud control-plane, identity-provider, and SaaS audit logs are actually retained and reviewed for this behavior.
Technical view
Validate monitoring across the supported platforms: SaaS, IaaS, Office Suite, and Identity Provider. The supplied ATT&CK description references enumeration through Microsoft cloud PowerShell/CLI interfaces, Azure AD group membership queries, Google Cloud Identity group listing, AWS role policy listing, and S3 bucket ACL reads. Detection engineering should focus on authenticated API and CLI access patterns that enumerate group membership, roles, attached policies, and object ACLs, especially when performed by unusual users, workloads, locations, sessions, or at unusual volume. Relationship context notes DET0251, Behavioral Detection of Cloud Group Enumeration via API and CLI Access, and public tools such as AADInternals, ROADTools, and Pacu that can be relevant to testing or investigation.
Likely telemetry
- Identity provider audit logs for group, role, and membership read operations
- Cloud control-plane API logs for role policy, attached policy, group, and ACL read requests
- SaaS and office-suite administrative audit logs
- CLI and PowerShell execution telemetry where available
- Authentication context such as user, service principal, workload identity, source IP, device, session, and geolocation
Detection direction
- Build or validate analytics for bursts or broad sweeps of group, role, policy, membership, or ACL read operations by authenticated principals.
- Tune detections against known administrative workflows, inventory jobs, compliance scans, and automation to reduce false positives without suppressing rare or high-risk enumeration.
- Correlate discovery events with recent authentication anomalies, new sessions, unusual source locations, newly used tools, or access by accounts that do not normally perform IAM or cloud administration.
- Use the DET0251 relationship as a direction to evaluate behavioral detection of cloud group enumeration via API and CLI access, while recognizing that the ATT&CK technique itself does not include official detection guidance.
- Include relationship-driven test cases for Azure/identity enumeration tools and AWS exploitation frameworks where those tools are authorized for defensive validation.
Mitigation priorities
- Ensure cloud, SaaS, and identity audit logging is enabled and retained long enough to support incident response and compliance evidence.
- Apply least privilege so ordinary users, service principals, and workloads cannot enumerate more group, role, policy, or ACL information than required.
- Review permissions around role policy reads, group membership visibility, and object ACL visibility in each cloud or identity environment.
- Separate and monitor administrative accounts and automation identities that legitimately perform group or policy inventory.
- Document expected administrative enumeration patterns so SOC and IR teams can distinguish routine governance from suspicious discovery during investigations.
Analyst notes and limits
This object is a Discovery sub-technique of Permission Groups Discovery and is scoped to cloud and identity-oriented platforms. The official description supplies examples across Microsoft cloud services, Azure, Google Cloud Identity, AWS IAM, and AWS S3 ACLs. Related ATT&CK context includes a detection strategy, one campaign relationship, and software relationships to AADInternals, ROADTools, and Pacu; these relationships support defensive validation but do not by themselves prove activity in any specific environment.
MITRE provides no official detection text or mitigations in the supplied fields. Local log availability, API audit configuration, identity architecture, and normal administrator behavior will determine whether this behavior is observable and actionable. The supplied relationship to a campaign should not be interpreted as current activity or attribution without separate evidence.
Cloud Groups
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.
With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts [1][2].
Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.[3][4][5] In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.[6]
Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API [7]. Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1069 | Permission Groups Discovery | This object subtechnique of Permission Groups Discovery. |
Groups, software, and campaigns
S0684: ROADTools
S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
C0027: C0027
C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.5 | Current bundle | 2fe1f85d48f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Msolrole
Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.
Open source URL -
[2]
GitHub Raindance
Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
Open source URL -
[3]
Microsoft AZ CLI
Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
Open source URL -
[4]
Black Hills Red Teaming MS AD Azure, 2018
Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
Open source URL -
[5]
Google Cloud Identity API Documentation
Google. (n.d.). Retrieved March 16, 2021.
Open source URL -
[6]
Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022
Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.
Open source URL -
[7]
AWS Get Bucket ACL
Amazon Web Services. (n.d.). Retrieved May 28, 2021.
Open source URL -
[8]
mitre-attack T1069.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.