T1619 IBM QRadar · QRadar

Detect Cloud Storage Object Discovery in IBM QRadar

This detection identifies adversary enumeration of cloud storage objects across AWS S3, Azure Blob Storage, and GCP Cloud Storage. Attackers use native cloud APIs (e.g., ListObjectsV2 for S3, List Blobs for Azure) to survey accessible buckets and containers, typically as a precursor to data staging or exfiltration. The detection looks for anomalous listing activity including high-volume object enumeration, access from unexpected identities or IPs, enumeration across multiple buckets in short time windows, and listing operations performed by service principals or IAM roles outside their expected behavioral baseline. Tools such as Pacu and Peirates are known to automate these enumeration workflows.

MITRE ATT&CK

Tactic
Discovery
Technique
T1619 Cloud Storage Object Discovery
Canonical reference
https://attack.mitre.org/techniques/T1619/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT username as "Username", sourceip as "SourceIP", UTF8(payload) as "APICall", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%ListBuckets%' OR UTF8(payload) ILIKE '%ListAllMyBuckets%' THEN 80 WHEN UTF8(payload) ILIKE '%ListObjectsV2%' AND eventcount > 100 THEN 75 WHEN UTF8(payload) ILIKE '%GetBucketAcl%' OR UTF8(payload) ILIKE '%GetBucketPolicy%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Amazon AWS CloudTrail', 'Microsoft Azure', 'Google Cloud Platform') AND (UTF8(payload) ILIKE '%ListObjects%' OR UTF8(payload) ILIKE '%ListBuckets%' OR UTF8(payload) ILIKE '%GetBucketAcl%' OR UTF8(payload) ILIKE '%StorageRead%') ORDER BY "RiskScore" DESC LAST 24 HOURS
high severity medium confidence

IBM QRadar AQL translation of the T1619 detection. Uses SQL-like syntax with risk scoring. Detects high-volume or broad cloud storage enumeration across AWS S3 (via CloudTrail ListObjectsV2/L

Data Sources

Amazon AWS CloudTrailMicrosoft AzureGoogle Cloud Platform

Required Tables

events

False Positives & Tuning

  • Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
  • Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
  • Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
  • DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
  • Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis
Download portable Sigma rule (.yml)

Other platforms for T1619

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS S3 Bucket and Object Enumeration with AWS CLI

    Expected signal: CloudTrail will generate events: eventName=ListBuckets, eventName=ListObjectsV2 (one per bucket enumerated), eventName=GetBucketLocation, eventName=GetBucketAcl, eventName=GetBucketPolicy. All events will share the same userIdentity.arn and originating sourceIPAddress. Events appear in CloudTrail within 15 minutes (standard delivery) or near-real-time (CloudTrail Lake).

  2. Test 2Pacu Framework AWS Storage Enumeration Module

    Expected signal: CloudTrail events with userAgent containing 'Boto3' (Pacu uses Boto3 SDK). EventNames: ListBuckets, GetBucketAcl, GetBucketLocation, DescribeVolumes, DescribeSnapshots. The Pacu session generates many rapid sequential API calls detectable by rate and ordering patterns.

  3. Test 3Azure Blob Storage Container and Object Enumeration via Azure CLI

    Expected signal: Azure StorageBlobLogs table will contain OperationName values: ListContainers, ListBlobs, GetContainerProperties. CallerIpAddress will reflect the test machine IP. AuthenticationType will show 'StorageKey' (when using account key) or 'OAuth' (when using service principal). AzureActivity log will show Microsoft.Storage/storageAccounts/listKeys/action if keys were retrieved.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1619 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1580Cloud Infrastructure DiscoveryT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1078.004Cloud AccountsT1613Container and Resource DiscoveryT1083File and Directory DiscoveryT1087.002Domain Account

Same Tactic: Discovery

Popular Detections