T1580 Cloud Infrastructure Discovery Mappings

An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1580 Cloud Infrastructure Discovery
AC-3 Access Enforcement Protects T1580 Cloud Infrastructure Discovery
AC-5 Separation of Duties Protects T1580 Cloud Infrastructure Discovery
AC-6 Least Privilege Protects T1580 Cloud Infrastructure Discovery
IA-2 Identification and Authentication (organizational Users) Protects T1580 Cloud Infrastructure Discovery
azure_defender_for_resource_manager Azure Defender for Resource Manager technique_scores T1580 Cloud Infrastructure Discovery
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
azure_sentinel Azure Sentinel technique_scores T1580 Cloud Infrastructure Discovery
Comments
The Azure Sentinel Hunting "Azure storage key enumeration" query can identify potential attempts by an attacker to discover cloud infrastructure resources.
References
azure_defender_for_key_vault Azure Defender for Key Vault technique_scores T1580 Cloud Infrastructure Discovery
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
role_based_access_control Role Based Access Control technique_scores T1580 Cloud Infrastructure Discovery
Comments
This control can be used to limit the number of users that have privileges to discover cloud infrastructure thereby reducing an organization's cloud infrastructure attack surface.
References
azure_policy Azure Policy technique_scores T1580 Cloud Infrastructure Discovery
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References