EXPLORE
Sign In
← Back to Explore
T1526

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logg...

IaaSIdentity ProviderOffice SuiteSaaS
23
Detections
4
Sources
1
Threat Actors

BY SOURCE

11elastic8splunk_escu3sigma1crowdstrike_cql

PROCEDURES (17)

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Evasion2 detections

Auto-extracted: 2 detections for evasion

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Azure1 detections

Auto-extracted: 1 detections for azure

Api1 detections

Auto-extracted: 1 detections for api

Azure1 detections

Auto-extracted: 1 detections for azure

THREAT ACTORS (1)

Storm-0501

DETECTIONS (23)

Amazon EKS Kubernetes cluster scan detection
splunk_escu
Amazon EKS Kubernetes Pod scan detection
splunk_escu
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS Excessive Security Scanning
splunk_escu
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS Service Quotas Multi-Region GetServiceQuota Requests
elasticlow
Azure AD AzureHound UserAgent Detected
splunk_escu
Azure AD Service Principal Enumeration
splunk_escu
Discovery Using AzureHound
sigmahigh
Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
GCP Kubernetes cluster pod scan detection
splunk_escu
Github Self Hosted Runner Changes Detected
sigmalow
Identify Shadow SaaS
crowdstrike_cql
Kubernetes Scanner Image Pulling
splunk_escu
Kubernetes Suspicious Image Pulling
splunk_escu
PUA - Seatbelt Execution
sigmahigh
Rare AWS Error Code
elasticlow
Rare Azure Activity Logs Event Failures
elasticlow
Rare GCP Audit Failure Event Code
elasticlow
Spike in AWS Error Messages
elasticlow
Spike in Azure Activity Logs Failed Messages
elasticlow
Spike in GCP Audit Failed Messages
elasticlow