T1538: Cloud Service Dashboard

Description

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, review findings of potential security risks, and run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This also allows the adversary to gain information without manually making any API requests.

Platforms

Mitigations (1)

Threat Groups (1)

ID	Group	Context
G1015	Scattered Spider	[Scattered Spider](https://attack.mitre.org/groups/G1015) abused AWS Systems Manager Inventory to identify targets on the compromised network prior to...

References

• Amazon. (n.d.). AWS Console Sign-in Events. Retrieved October 23, 2019.
• Google. (2019, October 3). Quickstart: Using the dashboard. Retrieved October 8, 2019.

Frequently Asked Questions

What is T1538 (Cloud Service Dashboard)?

T1538 is a MITRE ATT&CK technique named 'Cloud Service Dashboard'. It belongs to the Discovery tactic(s). An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For exa...

How can T1538 be detected?

Detection of T1538 (Cloud Service Dashboard) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1538?

There are 1 documented mitigations for T1538. Key mitigations include: User Account Management.

Which threat groups use T1538?

Known threat groups using T1538 include: Scattered Spider.