Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.
Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-17 | Remote Access | Protects | T1619 | Cloud Storage Object Discovery |
AC-2 | Account Management | Protects | T1619 | Cloud Storage Object Discovery |
AC-3 | Access Enforcement | Protects | T1619 | Cloud Storage Object Discovery |
AC-5 | Separation of Duties | Protects | T1619 | Cloud Storage Object Discovery |
AC-6 | Least Privilege | Protects | T1619 | Cloud Storage Object Discovery |
CM-5 | Access Restrictions for Change | Protects | T1619 | Cloud Storage Object Discovery |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1619 | Cloud Storage Object Discovery |