EXPLORE
Sign In
← Back to Explore
T1526

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logg...

IaaSIdentity ProviderOffice SuiteSaaS
27
Detections
4
Sources
1
Threat Actors

BY SOURCE

14elastic8splunk_escu3sigma2crowdstrike_cql

PROCEDURES (19)

Cloud2 detections

Auto-extracted: 2 detections for cloud

Azure2 detections

Auto-extracted: 2 detections for azure

Evasion2 detections

Auto-extracted: 2 detections for evasion

Evasion2 detections

Auto-extracted: 2 detections for evasion

Aws2 detections

Auto-extracted: 2 detections for aws

Privilege2 detections

Auto-extracted: 2 detections for privilege

Evasion1 detections

Auto-extracted: 1 detections for evasion

Credential1 detections

Auto-extracted: 1 detections for credential

Token1 detections

Auto-extracted: 1 detections for token

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

Token1 detections

Auto-extracted: 1 detections for token

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

Azure1 detections

Auto-extracted: 1 detections for azure

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Aws1 detections

Auto-extracted: 1 detections for aws

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (1)

Storm-0501

DETECTIONS (27)

Amazon EKS Kubernetes cluster scan detection
splunk_escu
Amazon EKS Kubernetes Pod scan detection
splunk_escu
AWS Discovery API Calls from VPN ASN for the First Time by Identity
elasticmedium
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS Excessive Security Scanning
splunk_escu
AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity
elastichigh
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS Service Quotas Multi-Region GetServiceQuota Requests
elasticlow
Azure AD AzureHound UserAgent Detected
splunk_escu
Azure AD Service Principal Enumeration
splunk_escu
Discovery Using AzureHound
sigmahigh
Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
GCP Kubernetes cluster pod scan detection
splunk_escu
Github Self Hosted Runner Changes Detected
sigmalow
Identify Shadow SaaS
crowdstrike_cql
Identify Shadow SaaS
crowdstrike_cql
Kubernetes Scanner Image Pulling
splunk_escu
Kubernetes Suspicious Image Pulling
splunk_escu
Microsoft Graph Multi-Category Reconnaissance Burst
elasticmedium
PUA - Seatbelt Execution
sigmahigh
Rare AWS Error Code
elasticlow
Rare Azure Activity Logs Event Failures
elasticlow
Rare GCP Audit Failure Event Code
elasticlow
Spike in AWS Error Messages
elasticlow
Spike in Azure Activity Logs Failed Messages
elasticlow
Spike in GCP Audit Failed Messages
elasticlow