Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Account Discovery: Cloud Account, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-05.
Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365. The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.
The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix. In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.
Platforms: IaaS, Identity Provider, Office Suite, SaaS.
DCV maps 1 detection across 1 cloud provider to T1087.004. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 1 T1087.004 rule across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1087.004, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
Detection coverage in DCV across AWS, Azure and GCP for Account Discovery: Cloud Account, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-05.
DCV maps 1 cloud-native detections to T1087.004 across 1 cloud providers, drawn from GCP Chronicle.
T1087.004 is part of MITRE ATT&CK TA0007 Discovery: How adversaries learn what they have access to.
CloudSigma ships 3 validated Sigma rules for T1087.004 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.