T1580: Cloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances
API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets
API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket
API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock
API to retrieve access block configuration for a bucket. Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list
command to list all Google Compute Engine instances in a project , and Azure's CLI command az vm list
lists details of virtual machines. In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user. The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances
to determine size, owner, permissions, and network ACLs of database resources. Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
Detection
ID | DS0030 | Data source and component | Instance: Instance Enumeration | Description | Monitor cloud logs for API calls and other potentially unusual activity related to cloud instance enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
---|
ID | DS0010 | Data source and component | Cloud Storage: Cloud Storage Enumeration | Description | Monitor cloud logs for API calls and other potentially unusual activity related to cloud data object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
---|
ID | DS0034 | Data source and component | Volume: Volume Enumeration | Description | Monitor cloud logs for API calls and other potentially unusual activity related to block object storage enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Enumeration | Description | Monitor cloud logs for API calls and other potentially unusual activity related to snapshot enumeration. Discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
---|