T1619: Cloud Storage Object Discovery

View on MITRE ATT&CK	T1619
Tactic(s)	Discovery

Data from MITRE ATT&CK®:

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

How to detect this technique

MITRE ATT&CK Data Components

Cloud Storage Access (Cloud Storage)

Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)

Cloud Storage Enumeration (Cloud Storage)

An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

AWS S3 Enumeration

iaas:aws

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
AC-3: Access Enforcement
AC-6: Least Privilege
CM-5: Access Restrictions for Change
AC-5: Separation of Duties
AC-17: Remote Access
AC-2: Account Management
IA-2: Identification and Authentication (organizational Users)