Description
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Log.
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has discovered the victim environment’s protections to include Azure policies, resource locks, and... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint... |
| S0684 | ROADTools | Tool | [ROADTools](https://attack.mitre.org/software/S0684) can enumerate Azure AD applications and service principals.(Citation: Roadtools) |
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has the ability to scan code repositories and CI/CD platforms.(Citation: Black Hills Information... |
| S1091 | Pacu | Tool | [Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS services, such as CloudTrail and CloudWatch.(Citation: GitHub Pacu) |
References
- Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.
- Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.
- Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.
- Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
Frequently Asked Questions
What is T1526 (Cloud Service Discovery)?
T1526 is a MITRE ATT&CK technique named 'Cloud Service Discovery'. It belongs to the Discovery tactic(s). An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or...
How can T1526 be detected?
Detection of T1526 (Cloud Service Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1526?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1526?
Known threat groups using T1526 include: Storm-0501.