MITRE ATT&CK / T1580
T1580
Cloud Infrastructure Discovery
Description
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket’s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through…
Platforms
Mitigations
- M1018 — User Account Management
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential Types at Scale
- UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →