Instance Enumeration

The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples:

AWS: instance enumeration involves the DescribeInstances API call, which retrieves information about running or stopped EC2 instances.
Azure: VM enumeration can be monitored via the Microsoft.Compute/virtualMachines/read operation.
GCP: instance enumeration is logged as an instance.list operation within GCP Audit Logs.

Data Collection Measures:

AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
GCP Audit Logs: Logs Explorer or BigQuery.

ID: DC0075

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
AWS:CloudTrail	DescribeDBInstances
AWS:CloudTrail	DescribeInstances, GetConsoleOutput, DescribeImages
azure:activity	MICROSOFT.COMPUTE/VIRTUALMACHINES/LIST
azure:activity	Microsoft.Compute/virtualMachines/read
gcp:audit	compute.instances.list OR storage.buckets.list

Detection Strategy

ID	Name	Technique Detected
DET0169	Detection Strategy for Cloud Infrastructure Discovery	T1580
DET0525	System Discovery via Native and Remote Utilities	T1082