Detect Cloud Infrastructure Discovery in Splunk
This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1580 Cloud Infrastructure Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1580/
SPL Detection Query
index=* (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity")
| eval cloud_provider=case(
sourcetype="aws:cloudtrail", "AWS",
sourcetype="azure:activity", "Azure",
true(), "Unknown"
)
| eval api_name=coalesce(eventName, operationName)
| eval identity=coalesce('userIdentity.arn', 'userIdentity.userName', caller)
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress)
| search api_name IN (
"DescribeInstances", "DescribeVolumes", "DescribeSnapshots", "DescribeImages",
"ListBuckets", "HeadBucket", "GetPublicAccessBlock", "GetBucketAcl", "GetBucketPolicy",
"DescribeDBInstances", "DescribeDBClusters", "DescribeDBSnapshots",
"DescribeSecurityGroups", "DescribeVpcs", "DescribeSubnets",
"DescribeNetworkInterfaces", "DescribeRouteTables", "ListFunctions",
"ListRoles", "ListUsers", "GetCallerIdentity", "DescribeLoadBalancers",
"DescribeAutoScalingGroups", "DescribeKeyPairs",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Sql/servers/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.KeyVault/vaults/read"
)
| bin _time span=15m
| stats
count as discovery_count,
dc(api_name) as distinct_apis,
values(api_name) as api_list,
dc(source_ip) as distinct_ips,
values(source_ip) as source_ips,
earliest(_time) as first_seen,
latest(_time) as last_seen
by cloud_provider, identity, _time
| where discovery_count >= 10 OR distinct_apis >= 5
| eval risk_score=case(
distinct_apis >= 10 AND discovery_count >= 50, 90,
distinct_apis >= 7 AND discovery_count >= 20, 70,
distinct_apis >= 5 OR discovery_count >= 10, 50,
true(), 30
)
| eval time_window_minutes=round((last_seen - first_seen) / 60, 1)
| eval detection_window="15m"
| sort -risk_score -discovery_count
| table _time, cloud_provider, identity, source_ips, discovery_count, distinct_apis, api_list, time_window_minutes, risk_scoreDetects burst enumeration of cloud infrastructure resources in AWS and Azure by bucketing API calls into 15-minute windows and alerting when a single identity makes 10+ discovery calls or touches 5+ distinct discovery API types. Computes a risk score based on API diversity and volume to triage high-confidence events first.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Infrastructure-as-code tools (Terraform, Pulumi) performing plan operations that enumerate current state before computing diffs
- Cloud security posture management (CSPM) platforms performing scheduled compliance scans against all resource types
- Automated backup solutions conducting pre-backup discovery to catalog cloud assets for protection scope
- Cloud-native monitoring agents performing resource health checks across compute and storage tiers
- DevOps automation pipelines validating environment state after deployments via bulk describe operations
Other platforms for T1580
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Infrastructure Enumeration via CLI
Expected signal: CloudTrail management events for: GetCallerIdentity, DescribeInstances (multiple regions), ListBuckets, GetPublicAccessBlock, GetBucketAcl, DescribeDBInstances, DescribeKeyPairs, DescribeSecurityGroups — all appearing within a short time window from the same identity and source IP
- Test 2Azure Infrastructure Enumeration via Azure CLI
Expected signal: Azure Activity Log entries for operations: Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read, Microsoft.Sql/servers/read, Microsoft.Network/virtualNetworks/read, Microsoft.KeyVault/vaults/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Resources/subscriptions/resourcegroups/read — all from same caller within a short window
- Test 3Automated Cloud Enumeration with Pacu (AWS Exploitation Framework)
Expected signal: CloudTrail management events with UserAgent containing 'pacu' or 'Boto3' (Pacu uses Boto3 SDK). Expect 50+ API calls across ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots, s3:ListBuckets, iam:ListUsers, iam:ListRoles, iam:ListPolicies, rds:DescribeDBInstances, lambda:ListFunctions within minutes from a single identity
References (10)
- https://attack.mitre.org/techniques/T1580/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
- https://github.com/RhinoSecurityLabs/pacu
- https://www.mandiant.com/resources/m-trends-2020
- https://expel.com/blog/finding-evil-in-aws/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
- https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-list
Unlock Pro Content
Get the full detection package for T1580 including response playbook, investigation guide, and atomic red team tests.