The sub-techniques beta is now live! Read the release blog post for more info.

Cloud Service Discovery

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ depending on if it's platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many different services exist throughout the various cloud providers and can include continuous integration and continuous delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment.

Pacu, an open source AWS exploitation framework, supports several methods for discovering cloud services.[1]

ID: T1526
Tactic: Discovery
Platform: AWS, GCP, Azure, Azure AD, Office 365, SaaS
Permissions Required: User
Data Sources: Azure activity logs, Stackdriver logs, AWS CloudTrail logs
Contributors: Praetorian
Version: 1.0
Created: 30 August 2019
Last Modified: 17 October 2019


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.