EXPLORE
Sign In
← Back to Explore
T1580

Cloud Infrastructure Discovery

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API...

IaaS
24
Detections
3
Sources
2
Threat Actors

BY SOURCE

18elastic5splunk_escu1sigma

PROCEDURES (15)

Brute Force3 detections

Auto-extracted: 3 detections for brute force

Azure3 detections

Auto-extracted: 3 detections for azure

Aws2 detections

Auto-extracted: 2 detections for aws

Api2 detections

Auto-extracted: 2 detections for api

Privilege2 detections

Auto-extracted: 2 detections for privilege

C22 detections

Auto-extracted: 2 detections for c2

Evasion2 detections

Auto-extracted: 2 detections for evasion

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Api1 detections

Auto-extracted: 1 detections for api

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

C21 detections

Auto-extracted: 1 detections for c2

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (2)

Scattered SpiderStorm-0501

DETECTIONS (24)

ASL AWS IAM AccessDenied Discovery Events
splunk_escu
ASL AWS IAM Assume Role Policy Brute Force
splunk_escu
AWS Account Discovery By Rare User
elasticlow
AWS Bedrock High Number List Foundation Model Failures
splunk_escu
AWS Discovery API Calls via CLI from a Single Resource
elasticlow
AWS EC2 Deprecated AMI Discovery
elasticlow
AWS EC2 User Data Retrieval for EC2 Instance
elasticmedium
AWS IAM AccessDenied Discovery Events
splunk_escu
AWS IAM Assume Role Policy Brute Force
splunk_escu
AWS S3 Bucket Enumeration or Brute Force
elasticlow
AWS S3 Rapid Bucket Posture API Calls from a Single Principal
elasticlow
AWS Service Quotas Multi-Region GetServiceQuota Requests
elasticlow
AWS SSM Inventory Reconnaissance by Rare User
elasticmedium
Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
Potential Bucket Enumeration on AWS
sigmalow
Rare AWS Error Code
elasticlow
Rare Azure Activity Logs Event Failures
elasticlow
Rare GCP Audit Failure Event Code
elasticlow
Spike in AWS Error Messages
elasticlow
Spike in Azure Activity Logs Failed Messages
elasticlow
Spike in GCP Audit Failed Messages
elasticlow
Unusual Instance Metadata Service (IMDS) API Request
elasticmedium
Unusual Windows Process Calling the Metadata Service
elasticlow