MITRE ATT&CK Technique
Description
Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group. With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance). Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command <code>az ad user get-member-groups</code> will list groups associated to a user account for Azure while the API endpoint <code>GET https://cloudidentity.googleapis.com/v1/groups</code> lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022) Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T21:15:33.222Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to find cloud groups and permission '
'settings. The knowledge of cloud permission groups can help '
'adversaries determine the particular roles of users and '
'groups within an environment, as well as which users are '
'associated with a particular group.\n'
'\n'
'With authenticated access there are several tools that can be '
'used to find permissions groups. The '
'<code>Get-MsolRole</code> PowerShell cmdlet can be used to '
'obtain roles and permissions groups for Exchange and Office '
'365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub '
'Raindance).\n'
'\n'
'Azure CLI (AZ CLI) and the Google Cloud Identity Provider API '
'also provide interfaces to obtain permissions groups. The '
'command <code>az ad user get-member-groups</code> will list '
'groups associated to a user account for Azure while the API '
'endpoint <code>GET '
'https://cloudidentity.googleapis.com/v1/groups</code> lists '
'group resources available to a user for Google.(Citation: '
'Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD '
'Azure, 2018)(Citation: Google Cloud Identity API '
'Documentation) In AWS, the commands `ListRolePolicies` and '
'`ListAttachedRolePolicies` allow users to enumerate the '
'policies attached to a role.(Citation: Palo Alto Unit 42 '
'Compromised Cloud Compute Credentials 2022)\n'
'\n'
'Adversaries may attempt to list ACLs for objects to determine '
'the owner and other accounts with access to the object, for '
'example, via the AWS <code>GetBucketAcl</code> API (Citation: '
'AWS Get Bucket ACL). Using this information an adversary can '
'target accounts with permissions to a given object or '
'leverage accounts they have already compromised to access the '
'object.',
'external_references': [{'external_id': 'T1069.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1069/003'},
{'description': 'Amazon Web Services. (n.d.). '
'Retrieved May 28, 2021.',
'source_name': 'AWS Get Bucket ACL',
'url': 'https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html'},
{'description': 'Dror Alon. (2022, December 8). '
'Compromised Cloud Compute '
'Credentials: Case Studies From the '
'Wild. Retrieved March 9, 2023.',
'source_name': 'Palo Alto Unit 42 Compromised Cloud '
'Compute Credentials 2022',
'url': 'https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/'},
{'description': 'Felch, M.. (2018, August 31). Red '
'Teaming Microsoft Part 1 Active '
'Directory Leaks via Azure. Retrieved '
'October 6, 2019.',
'source_name': 'Black Hills Red Teaming MS AD Azure, '
'2018',
'url': 'https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/'},
{'description': 'Google. (n.d.). Retrieved March 16, '
'2021.',
'source_name': 'Google Cloud Identity API '
'Documentation',
'url': 'https://cloud.google.com/identity/docs/reference/rest'},
{'description': 'Microsoft. (n.d.). az ad user. '
'Retrieved October 6, 2019.',
'source_name': 'Microsoft AZ CLI',
'url': 'https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest'},
{'description': 'Microsoft. (n.d.). Get-MsolRole. '
'Retrieved October 6, 2019.',
'source_name': 'Microsoft Msolrole',
'url': 'https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0'},
{'description': 'Stringer, M.. (2018, November 21). '
'RainDance. Retrieved October 6, '
'2019.',
'source_name': 'GitHub Raindance',
'url': 'https://github.com/True-Demon/raindance'}],
'id': 'attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:26.982Z',
'name': 'Cloud Groups',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Regina Elwell', 'Isif Ibrahima, Mandiant'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['SaaS', 'IaaS', 'Office Suite', 'Identity Provider'],
'x_mitre_version': '1.5'}