T1580: Cloud Infrastructure Discovery

Data from MITRE ATT&CK®:

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)

An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Instance Enumeration (Instance)

An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)

Volume Metadata (Volume)

Contextual data about a cloud volume and activity around it, such as id, type, state, and size

Cloud Storage Metadata (Cloud Storage)

Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner

Snapshot Metadata (Snapshot)

Contextual data about a snapshot, which may include information such as ID, type, and status

Instance Metadata (Instance)

Contextual data about an instance and activity around it such as name, type, or status

Volume Enumeration (Volume)

An extracted list of available volumes within a cloud environment (ex: AWS describe-volumes)

Snapshot Enumeration (Snapshot)

An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)

Cloud Storage Enumeration (Cloud Storage)

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

AWS - EC2 Security Group Enumeration

iaas:aws

AWS - EC2 Enumeration from Cloud Instance

linux macos iaas:aws

Potential Bucket Enumeration on AWS

aws