An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement protects against Cloud Infrastructure Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1580 | Cloud Infrastructure Discovery | |
| AC-02 | Account Management | mitigates | T1580 | Cloud Infrastructure Discovery | |
| AC-03 | Access Enforcement | mitigates | T1580 | Cloud Infrastructure Discovery | |
| AC-05 | Separation of Duties | mitigates | T1580 | Cloud Infrastructure Discovery | |
| AC-06 | Least Privilege | mitigates | T1580 | Cloud Infrastructure Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1580 | Cloud Infrastructure Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_policy | Azure Policy | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References
|
| azure_role_based_access_control | Azure Role-Based Access Control | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control can be used to limit the number of users that have privileges to discover cloud infrastructure thereby reducing an organization's cloud infrastructure attack surface.
References
|
| defender_for_key_vault | Microsoft Defender for Key Vault | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
|
| defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control can detect unusual activity related to cloud data object storage enumeration.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| mandiant_asm | Mandiant Attack Surface Management (ASM) | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.
References
|
| identity_platform | Identity Platform | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to enumerate users access keys through VM or snapshots.
References
|
| resource_manager | Resource Manager | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
Resource Manager can easily modify your Cloud Identity and Access Management policies for your organization and folders, and the changes will apply across all the projects and resources. Create and manage IAM access control policies for your organization and projects. This control may prevent adversaries that try to discover resources by placing a limit on discovery of these resources with least privilege.
References
|
| resource_manager | Resource Manager | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
GCP allows configuration of account policies to enable logging and IAM permissions and roles that may detect compromised user attempts to discover infrastructure and resources.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems.
Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux
References
|
| aws_organizations | AWS Organizations | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights.
S3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet
AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
This is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components.
References
|