Cloud Service Enumeration

Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:

AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.
- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.
- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.
- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.

This data component can be collected through the following measures:

Enable Cloud Activity Logging

Ensure cloud service logs are enabled for API calls and resource usage.
Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries.

Centralize Logs in a SIEM

Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel).
Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration.

Use Native Cloud Security Tools

Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center.
Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user.

Implement Network Flow Logging

Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity.
Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane.

API Access Monitoring

Monitor API keys and tokens used for enumeration to identify misuse or compromise.
Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.

ID: DC0083

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
AWS:CloudTrail	GetSecretValue
AWS:CloudTrail	ssm:ListInventoryEntries
AWS:CloudTrail	DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery
AWS:CloudTrail	GetInstanceIdentityDocument or IMDSv2 token requests
AWS:CloudTrail	DescribeUsers / ListUsers / GetUser
azure:ad	SecretGet
azure:audit	ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects
azure:signinlogs	Graph API Query
gcp:secrets	accessSecretVersion
m365:unified	Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks
saas:adminapi	ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities

Detection Strategy

ID	Name	Technique Detected
DET0430	Detect Credentials Access from Password Stores	T1555
DET0130	Detect Unauthorized Access to Cloud Secrets Management Stores	T1555.006
DET0402	Detection Strategy for Cloud Service Discovery	T1526
DET0515	Detection Strategy for T1528 - Steal Application Access Token	T1528
DET0587	Enumeration of User or Account Information Across Platforms	T1087
DET0392	Multi-Platform Software Discovery Behavior Chain	T1518