Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.
Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1619 | Cloud Storage Object Discovery |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1619 | Cloud Storage Object Discovery |
Comments
This diagnostic statement protects against Cloud Storage Object Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | mitigates | T1619 | Cloud Storage Object Discovery | |
| CM-05 | Access Restrictions for Change | mitigates | T1619 | Cloud Storage Object Discovery | |
| AC-17 | Remote Access | mitigates | T1619 | Cloud Storage Object Discovery | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1619 | Cloud Storage Object Discovery | |
| AC-03 | Access Enforcement | mitigates | T1619 | Cloud Storage Object Discovery | |
| AC-05 | Separation of Duties | mitigates | T1619 | Cloud Storage Object Discovery | |
| AC-06 | Least Privilege | mitigates | T1619 | Cloud Storage Object Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1619 | Cloud Storage Object Discovery |
Comments
This capability can detect cloud storage object (blob) discovery.
References
|
| defender_for_containers | Microsoft Defender for Containers | technique_scores | T1619 | Cloud Storage Object Discovery |
Comments
This capability can protect against cloud object storage (blob) discovery.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| vpc_service_controls | VPC Service Controls | technique_scores | T1619 | Cloud Storage Object Discovery |
Comments
This control may mitigate against discovery of cloud storage objects. This control is not able to protect metadata, such as cloud storage bucket names but can protect against discovery of the contents of a storage bucket.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1619 | Cloud Storage Object Discovery |
Comments
The GuardDuty finding Discovery:IAMUser/AnomalousBehavior can be used to detect this technique.
References
|