An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1580 | Cloud Infrastructure Discovery |
AC-3 | Access Enforcement | Protects | T1580 | Cloud Infrastructure Discovery |
AC-5 | Separation of Duties | Protects | T1580 | Cloud Infrastructure Discovery |
AC-6 | Least Privilege | Protects | T1580 | Cloud Infrastructure Discovery |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1580 | Cloud Infrastructure Discovery |
action.hacking.variety.Footprinting | Footprinting and fingerprinting | related-to | T1580 | Cloud Infrastructure Discovery |
amazon_guardduty | Amazon GuardDuty | technique_scores | T1580 | Cloud Infrastructure Discovery |
aws_organizations | AWS Organizations | technique_scores | T1580 | Cloud Infrastructure Discovery |
aws_security_hub | AWS Security Hub | technique_scores | T1580 | Cloud Infrastructure Discovery |