T1580 Cloud Infrastructure Discovery Mappings

An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1580 Cloud Infrastructure Discovery
AC-3 Access Enforcement Protects T1580 Cloud Infrastructure Discovery
AC-5 Separation of Duties Protects T1580 Cloud Infrastructure Discovery
AC-6 Least Privilege Protects T1580 Cloud Infrastructure Discovery
IA-2 Identification and Authentication (organizational Users) Protects T1580 Cloud Infrastructure Discovery
action.hacking.variety.Footprinting Footprinting and fingerprinting related-to T1580 Cloud Infrastructure Discovery
amazon_guardduty Amazon GuardDuty technique_scores T1580 Cloud Infrastructure Discovery
aws_organizations AWS Organizations technique_scores T1580 Cloud Infrastructure Discovery
aws_security_hub AWS Security Hub technique_scores T1580 Cloud Infrastructure Discovery