EXPLORE
← Back to Explore
T1526

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logg...

IaaSIdentity ProviderOffice SuiteSaaS
32
Detections
4
Sources
1
Threat Actors

BY SOURCE

19elastic8splunk_escu3sigma2crowdstrike_cql

PROCEDURES (20)

Cloud2 detections

Auto-extracted: 2 detections for cloud

Aws2 detections

Auto-extracted: 2 detections for aws

Evasion2 detections

Auto-extracted: 2 detections for evasion

Oauth1 detections

Auto-extracted: 1 detections for oauth

Token1 detections

Auto-extracted: 1 detections for token

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Aws1 detections

Auto-extracted: 1 detections for aws

Token1 detections

Auto-extracted: 1 detections for token

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Azure1 detections

Auto-extracted: 1 detections for azure

Oauth1 detections

Auto-extracted: 1 detections for oauth

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Azure1 detections

Auto-extracted: 1 detections for azure

Service1 detections

Auto-extracted: 1 detections for service

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (1)

DETECTIONS (32)

Amazon EKS Kubernetes cluster scan detection
splunk_escu
Amazon EKS Kubernetes Pod scan detection
splunk_escu
AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key
elastichigh
AWS Discovery API Calls from VPN ASN for the First Time by Identity
elastichigh
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS Excessive Security Scanning
splunk_escu
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
elastichigh
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS Service Quotas Multi-Region GetServiceQuota Requests
elasticlow
Azure AD AzureHound UserAgent Detected
splunk_escu
Azure AD Graph Access with Suspicious User-Agent
elastichigh
Azure AD Graph High 4xx Error Ratio from User
elasticmedium
Azure AD Graph Potential Enumeration (ROADrecon)
elastichigh
Azure AD Service Principal Enumeration
splunk_escu
Discovery Using AzureHound
sigmahigh
Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration
elastichigh
Entra ID Sign-in BloodHound Suite User-Agent Detected
elastichigh
Entra ID Sign-in TeamFiltration User-Agent Detected
elastichigh
GCP Kubernetes cluster pod scan detection
splunk_escu
Github Self Hosted Runner Changes Detected
sigmalow
Identify Shadow SaaS
crowdstrike_cql
Identify Shadow SaaS
crowdstrike_cql
Kubernetes Scanner Image Pulling
splunk_escu
Kubernetes Suspicious Image Pulling
splunk_escu
Microsoft Graph Multi-Category Reconnaissance Burst
elasticmedium
PUA - Seatbelt Execution
sigmahigh
Rare AWS Error Code
elasticlow
Rare Azure Activity Logs Event Failures
elasticlow
Rare GCP Audit Failure Event Code
elasticlow
Spike in AWS Error Messages
elasticlow
Spike in Azure Activity Logs Failed Messages
elasticlow
Spike in GCP Audit Failed Messages
elasticlow