MITRE ATT&CK Technique
Description
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T21:08:36.570Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to get a listing of cloud accounts. '
'Cloud accounts are those created and configured by an '
'organization for use by users, remote support, services, or '
'for administration of resources within a cloud service '
'provider or SaaS application.\n'
'\n'
'With authenticated access there are several tools that can be '
'used to find accounts. The <code>Get-MsolRoleMember</code> '
'PowerShell cmdlet can be used to obtain account names given a '
'role or permissions group in Office 365.(Citation: Microsoft '
'msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ '
'CLI) also provides an interface to obtain user accounts with '
'authenticated access to a domain. The command <code>az ad '
'user list</code> will list all users within a '
'domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red '
'Teaming MS AD Azure, 2018) \n'
'\n'
'The AWS command <code>aws iam list-users</code> may be used '
'to obtain a list of users in the current account while '
'<code>aws iam list-roles</code> can obtain IAM roles that '
'have a specified path prefix.(Citation: AWS List '
'Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam '
'service-accounts list</code> and <code>gcloud projects '
'get-iam-policy</code> may be used to obtain a listing of '
'service accounts and users in a project.(Citation: Google '
'Cloud - IAM Servie Accounts List API)',
'external_references': [{'external_id': 'T1087.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1087/004'},
{'description': 'Amazon. (n.d.). List Roles. '
'Retrieved August 11, 2020.',
'source_name': 'AWS List Roles',
'url': 'https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html'},
{'description': 'Amazon. (n.d.). List Users. '
'Retrieved August 11, 2020.',
'source_name': 'AWS List Users',
'url': 'https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html'},
{'description': 'Felch, M.. (2018, August 31). Red '
'Teaming Microsoft Part 1 Active '
'Directory Leaks via Azure. Retrieved '
'October 6, 2019.',
'source_name': 'Black Hills Red Teaming MS AD Azure, '
'2018',
'url': 'https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/'},
{'description': 'Google. (2020, June 23). gcloud iam '
'service-accounts list. Retrieved '
'August 4, 2020.',
'source_name': 'Google Cloud - IAM Servie Accounts '
'List API',
'url': 'https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list'},
{'description': 'Microsoft. (n.d.). az ad user. '
'Retrieved October 6, 2019.',
'source_name': 'Microsoft AZ CLI',
'url': 'https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest'},
{'description': 'Microsoft. (n.d.). '
'Get-MsolRoleMember. Retrieved '
'October 6, 2019.',
'source_name': 'Microsoft msolrolemember',
'url': 'https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0'},
{'description': 'Stringer, M.. (2018, November 21). '
'RainDance. Retrieved October 6, '
'2019.',
'source_name': 'GitHub Raindance',
'url': 'https://github.com/True-Demon/raindance'}],
'id': 'attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:49:05.745Z',
'name': 'Cloud Account',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['IaaS', 'Identity Provider', 'Office Suite', 'SaaS'],
'x_mitre_version': '1.3'}