1. Home
  2. ATT&CK Techniques
  3. T1619
Discovery

T1619: Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific ob...

T1619 · Technique ·1 platforms

Description

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

Platforms

IaaS

Mitigations (1)

User Account ManagementM1018

Restrict granting of permissions related to listing objects in cloud storage to necessary accounts.

Associated Software (3)

IDNameTypeContext
S9009TruffleHogTool[TruffleHog](https://attack.mitre.org/software/S9009) can enumerate cloud storage environments including Amazon Web Service (AWS) S3 buckets and Googl...
S1091PacuTool[Pacu](https://attack.mitre.org/software/S1091) can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.(Citation: GitH...
S0683PeiratesTool[Peirates](https://attack.mitre.org/software/S0683) can list AWS S3 buckets.(Citation: Peirates GitHub)

References

Frequently Asked Questions

What is T1619 (Cloud Storage Object Discovery)?

T1619 is a MITRE ATT&CK technique named 'Cloud Storage Object Discovery'. It belongs to the Discovery tactic(s). Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific ob...

How can T1619 be detected?

Detection of T1619 (Cloud Storage Object Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1619?

There are 1 documented mitigations for T1619. Key mitigations include: User Account Management.

Which threat groups use T1619?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.