Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [1] and List Blobs in Azure[2] .

ID: T1619
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: IaaS
Contributors: Isif Ibrahima, Mandiant; Regina Elwell
Version: 1.0
Created: 01 October 2021
Last Modified: 11 April 2022

Procedure Examples

ID Name Description
S1091 Pacu

Pacu can enumerate AWS storage services, such as S3 buckets and Elastic Block Store volumes.[3]

S0683 Peirates

Peirates can list AWS S3 buckets.[4]

Mitigations

ID Mitigation Description
M1018 User Account Management

Restrict granting of permissions related to listing objects in cloud storage to necessary accounts.

Detection

ID Data Source Data Component Detects
DS0010 Cloud Storage Cloud Storage Access

Monitor for unusual queries to the cloud provider's storage service. Activity originating from unexpected sources may indicate improper permissions are set that is allowing access to data. Additionally, detecting failed attempts by a user for a certain object, followed by escalation of privileges by the same user, and access to the same object may be an indication of suspicious activity.

Cloud Storage Enumeration

Monitor cloud logs for API calls used for file or object enumeration for unusual activity. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

References