An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-3 | Access Enforcement | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-5 | Separation of Duties | Protects | T1580 | Cloud Infrastructure Discovery | |
| AC-6 | Least Privilege | Protects | T1580 | Cloud Infrastructure Discovery | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1580 | Cloud Infrastructure Discovery | |
| action.hacking.variety.Footprinting | Footprinting and fingerprinting | related-to | T1580 | Cloud Infrastructure Discovery | |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
The following GuardDuty finding types flag events that are linked to Discovery techniques and can be used to capture events where a malicious user may be searching through the account looking for available resources. The finding types are also used to flag certain signatures of running services to detect malicious user activities from commonly used pentest operating systems.
Discovery:IAMUser/AnomalousBehavior Discovery:S3/MaliciousIPCaller Discovery:S3/MaliciousIPCaller.Custom Discovery:S3/TorIPCaller PenTest:IAMUser/KaliLinux PenTest:IAMUser/ParrotLinux PenTest:IAMUser/PentooLinux PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux
References
|
| aws_organizations | AWS Organizations | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
This control may protect against cloud infrastructure discovery by segmenting accounts into separate organizational units and restricting infrastructure access by least privilege.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1580 | Cloud Infrastructure Discovery |
Comments
AWS Security Hub detects improperly secured data from S3 buckets such as public read and write access as well as accessible EC2 instances that may result in an adversary learning about cloud infrastructure used by the organization. AWS Security Hub provides these detections with the following managed insights.
S3 buckets with public write or read permissions EC2 instances that have ports accessible from the Internet EC2 instances that are open to the Internet
AWS Security Hub also performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting improperly secured S3 buckets which could result in them being discovered. AWS Security Hub provides this detection with the following check.
3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
This is scored as Partial because S3 and EC2 only represent a subset of available cloud infrastructure components.
References
|