An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-3 | Access Enforcement | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-5 | Separation of Duties | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-6 | Least Privilege | Protects | T1580 | Cloud Infrastructure Discovery | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1580 | Cloud Infrastructure Discovery | |
| azure_defender_for_resource_manager | Azure Defender for Resource Manager | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
The Azure Sentinel Hunting "Azure storage key enumeration" query can identify potential attempts by an attacker to discover cloud infrastructure resources.
References
|
| azure_defender_for_key_vault | Azure Defender for Key Vault | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
|
| role_based_access_control | Role Based Access Control | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control can be used to limit the number of users that have privileges to discover cloud infrastructure thereby reducing an organization's cloud infrastructure attack surface.
References
|
| azure_policy | Azure Policy | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References
|