T1087.004: Cloud Account

Cloud Account is cloud and SaaS account discovery: an authenticated actor lists users, roles, service accounts, or permission groups in environments such as IaaS, identity providers, Office suites, and SaaS. The business issue is not the listing command itself; it is that account maps help an intruder choose higher-value identities for follow-on compromise, privilege abuse, or social engineering.

Executive priority

Treat this as an identity and cloud control-plane readiness question. Leaders should ask whether the organization can prove who enumerated accounts, from where, using which interface, and whether that behavior was expected administration. This supports incident triage, least-privilege investment, audit evidence, and prioritization of cloud logging across AWS, Azure/Office 365, GCP, identity provider, and SaaS environments.

Technical view

This is a discovery sub-technique under Account Discovery for IaaS, Identity Provider, Office Suite, and SaaS platforms. ATT&CK does not provide official detection text, but the relationship to DET0386 points defenders toward detecting account enumeration through API, CLI, and scripting interfaces. SOC teams should validate visibility for cloud IAM and directory listing activity, including Azure/Office 365 PowerShell or CLI activity, AWS IAM user/role listing, and GCP IAM service-account or policy listing. Detection should distinguish normal administrative inventory from unusual enumeration by rare principals, new sessions, unexpected source locations, or tooling associated in ATT&CK relationships such as AADInternals, ROADTools, and Pacu.

Likely telemetry

Cloud control-plane audit logs for IAM, user, role, service-account, and policy listing activity
Identity provider directory audit logs and sign-in/session context
Office Suite and Azure/Entra administrative PowerShell or CLI activity logs
AWS IAM API activity logs
GCP IAM and project audit logs

Detection direction

Use DET0386 as the ATT&CK-aligned detection strategy reference, while recognizing that the technique itself has no official detection text supplied.
Baseline expected account and role enumeration by administrators, inventory jobs, compliance tooling, and support workflows to reduce false positives.
Alert or hunt for enumeration by newly observed principals, non-admin users, unusual source locations, atypical user agents, uncommon CLI/API clients, or bursts of directory/IAM read activity.
Correlate enumeration with recent authentication events, privilege changes, new tokens/sessions, or access from cloud/SaaS environments where the account does not normally operate.
Check blind spots: disabled or non-centralized cloud audit logs, missing SaaS audit exports, insufficient retention, and lack of service-account visibility.

Mitigation priorities

Prioritize M1018 User Account Management: enforce account lifecycle controls, remove stale users and service accounts, and limit privileges so enumeration exposes less useful access structure.
Apply least privilege to directory and IAM read permissions, especially for roles that can list users, roles, groups, policies, or service accounts across broad scopes.
Prioritize M1047 Audit: ensure cloud, identity provider, Office Suite, and SaaS administrative activity is logged, retained, and reviewable for investigations and compliance evidence.
Regularly review who can perform broad account discovery and whether that access is still required for business operations.
Include cloud account enumeration scenarios in SOC validation and incident response playbooks.

Analyst notes and limits

ATT&CK relationships show this behavior is used by multiple groups, a campaign, and publicly available tools, but that should be used as context for defensive validation rather than as evidence of current activity in any specific environment. The most useful local question is whether authenticated discovery can be reliably separated from normal administration.

The supplied ATT&CK object does not include official detection guidance. This take is limited to the provided description, platforms, references, and relationships; actual coverage depends on each organization’s cloud services, SaaS audit capabilities, identity architecture, logging configuration, and retention.

Official MITRE ATT&CK definition

Cloud Account

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.[1][2] The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.[3][4]

The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.[5][6] In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.[7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1087	Account Discovery	This object subtechnique of Account Discovery.

Associated objects

Groups, software, and campaigns

G1053: Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

S0684: ROADTools

ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[1]

Identity Provider

S0677: AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]

WindowsOffice SuiteIdentity Provider

S1091: Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

IaaS

C0027: C0027

C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]

Relationship explorer

All related ATT&CK context

uses · Campaign C0027: C0027 Enterprise detects · Detection Strategy DET0386: Cloud Account Enumeration via API, CLI, and Scripting Interfaces Enterprise uses · Group G1053: Storm-0501 Enterprise uses · Tool S0684: ROADTools Enterprise subtechnique of · Technique T1087: Account Discovery Enterprise mitigates · Mitigation M1047: Audit Enterprise uses · Tool S0677: AADInternals Enterprise uses · Group G0016: APT29 Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Tool S1091: Pacu Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.3
Created: Feb 21, 2020, 21:08 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:49 UTC (UTC+00:00)
Raw hash: d61405318c5ca267...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.3	Oct 24, 2025, 17:49 UTC (UTC+00:00)	Current bundle	`d61405318c5c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft msolrolemember

Microsoft. (n.d.). Get-MsolRoleMember. Retrieved October 6, 2019.
Open source URL
[2]
GitHub Raindance

Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.
Open source URL
[3]
Microsoft AZ CLI

Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
Open source URL
[4]
Black Hills Red Teaming MS AD Azure, 2018

Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.
Open source URL
[5]
AWS List Roles

Amazon. (n.d.). List Roles. Retrieved August 11, 2020.
Open source URL
[6]
AWS List Users

Amazon. (n.d.). List Users. Retrieved August 11, 2020.
Open source URL
[7]
Google Cloud - IAM Servie Accounts List API

Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.
Open source URL
[8]
mitre-attack T1087.004
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams