1. Home
  2. Data Components
  3. Cloud Service Enumeration

Cloud Service Enumeration

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.
- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.
- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.
- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

ID: DC0083
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail GetSecretValue
AWS:CloudTrail ssm:ListInventoryEntries
AWS:CloudTrail DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery
AWS:CloudTrail GetInstanceIdentityDocument or IMDSv2 token requests
AWS:CloudTrail DescribeUsers / ListUsers / GetUser
azure:ad SecretGet
azure:audit ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects
azure:signinlogs Graph API Query
gcp:secrets accessSecretVersion
m365:unified Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks
saas:adminapi ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities

Detection Strategy

ID Name Technique Detected
DET0430 Detect Credentials Access from Password Stores T1555
DET0130 Detect Unauthorized Access to Cloud Secrets Management Stores T1555.006
DET0402 Detection Strategy for Cloud Service Discovery T1526
DET0515 Detection Strategy for T1528 - Steal Application Access Token T1528
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0392 Multi-Platform Software Discovery Behavior Chain T1518