Detect Cloud Infrastructure Discovery in CrowdStrike LogScale
This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1580 Cloud Infrastructure Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1580/
LogScale Detection Query
#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
* => RiskScore := "Low";
}
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)CrowdStrike LogScale (Falcon) CQL detection for Cloud Infrastructure Discovery. Detects high-volume or broad-scope cloud infrastructure enumeration across AWS and Azure by correlating API call volumes and API diversity from a single identity within a 15-minute window. Fires when
Data Sources
Required Tables
False Positives & Tuning
- Cloud management platforms performing authorized resource discovery and inventories
- Terraform or CloudFormation state reconciliation queries against cloud APIs
- Authorized security posture management tools scanning cloud configurations
- Automated billing, tagging, or compliance tools enumerating cloud resources
Other platforms for T1580
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Infrastructure Enumeration via CLI
Expected signal: CloudTrail management events for: GetCallerIdentity, DescribeInstances (multiple regions), ListBuckets, GetPublicAccessBlock, GetBucketAcl, DescribeDBInstances, DescribeKeyPairs, DescribeSecurityGroups — all appearing within a short time window from the same identity and source IP
- Test 2Azure Infrastructure Enumeration via Azure CLI
Expected signal: Azure Activity Log entries for operations: Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read, Microsoft.Sql/servers/read, Microsoft.Network/virtualNetworks/read, Microsoft.KeyVault/vaults/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Resources/subscriptions/resourcegroups/read — all from same caller within a short window
- Test 3Automated Cloud Enumeration with Pacu (AWS Exploitation Framework)
Expected signal: CloudTrail management events with UserAgent containing 'pacu' or 'Boto3' (Pacu uses Boto3 SDK). Expect 50+ API calls across ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots, s3:ListBuckets, iam:ListUsers, iam:ListRoles, iam:ListPolicies, rds:DescribeDBInstances, lambda:ListFunctions within minutes from a single identity
References (10)
- https://attack.mitre.org/techniques/T1580/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
- https://github.com/RhinoSecurityLabs/pacu
- https://www.mandiant.com/resources/m-trends-2020
- https://expel.com/blog/finding-evil-in-aws/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
- https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-list
Unlock Pro Content
Get the full detection package for T1580 including response playbook, investigation guide, and atomic red team tests.