Cloud Infrastructure Discovery (T1580)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Cloud Infrastructure Discovery

Associated Tactics

  • Discovery

Discovery (TA0007)

The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

View on ATT&CK

Procedure Examples

Description Source(s)
A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. Expel IO Evil in AWS
Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022. AWS Head Bucket
Amazon Web Services. (n.d.). Retrieved May 28, 2021. AWS Get Public Access Block
Amazon Web Services. (n.d.). Retrieved May 28, 2021. AWS Describe DB Instances
Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. Amazon Describe Instance
Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020. Amazon Describe Instances API
Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020. Google Compute Instances
Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. Mandiant M-Trends 2020
Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. Microsoft AZ CLI
Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022. Malwarebytes OSINT Leaky Buckets - Hioureas