Detect Cloud Infrastructure Discovery in Google Chronicle
This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1580 Cloud Infrastructure Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1580/
YARA-L Detection Query
rule T1580_cloud_infra_modification {
meta:
author = "Detection Engineering"
description = "Detects suspicious cloud infrastructure modifications"
severity = "high"
confidence = "medium"
mitre_attack = "T1580"
reference = "https://attack.mitre.org/techniques/T1580/"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Cloud Infrastructure Discovery. Detects high-volume or broad-scope cloud infrastructure enumeration across AWS and Azure by correlating API call volumes and API diversity from a single identity within a 15-minute window. Fires when
Data Sources
Required Tables
False Positives & Tuning
- Cloud management platforms performing authorized scheduled resource inventories
- Infrastructure-as-code tools enumerating cloud state for reconciliation
- Security compliance scanners performing authorized cloud posture assessments
- Automated cost optimization tools enumerating cloud resources
Other platforms for T1580
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Infrastructure Enumeration via CLI
Expected signal: CloudTrail management events for: GetCallerIdentity, DescribeInstances (multiple regions), ListBuckets, GetPublicAccessBlock, GetBucketAcl, DescribeDBInstances, DescribeKeyPairs, DescribeSecurityGroups — all appearing within a short time window from the same identity and source IP
- Test 2Azure Infrastructure Enumeration via Azure CLI
Expected signal: Azure Activity Log entries for operations: Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read, Microsoft.Sql/servers/read, Microsoft.Network/virtualNetworks/read, Microsoft.KeyVault/vaults/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Resources/subscriptions/resourcegroups/read — all from same caller within a short window
- Test 3Automated Cloud Enumeration with Pacu (AWS Exploitation Framework)
Expected signal: CloudTrail management events with UserAgent containing 'pacu' or 'Boto3' (Pacu uses Boto3 SDK). Expect 50+ API calls across ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots, s3:ListBuckets, iam:ListUsers, iam:ListRoles, iam:ListPolicies, rds:DescribeDBInstances, lambda:ListFunctions within minutes from a single identity
References (10)
- https://attack.mitre.org/techniques/T1580/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
- https://github.com/RhinoSecurityLabs/pacu
- https://www.mandiant.com/resources/m-trends-2020
- https://expel.com/blog/finding-evil-in-aws/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
- https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-list
Unlock Pro Content
Get the full detection package for T1580 including response playbook, investigation guide, and atomic red team tests.