title: Cloud Infrastructure Discovery (T1580)
id: df00tech-t1580
status: experimental
description: "This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration."
references:
  - https://attack.mitre.org/techniques/T1580/
  - https://df00tech.com/detections/T1580
author: df00tech
date: 2026/03/19
tags:
  - attack.t1580
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate cloud management platforms (Terraform, Pulumi, CloudFormation) performing state refresh that enumerate all resources at plan/apply time"
  - "Security posture management tools (Wiz, Prisma Cloud, Orca) performing scheduled asset inventory scans across the entire environment"
  - "Cloud cost management and optimization tools (CloudHealth, Spot.io) querying instance and storage metadata for billing analysis"
  - CI/CD pipelines with infrastructure-as-code that execute bulk describe operations during deployment validation
  - "Cloud backup agents (Veeam, Cohesity) performing pre-backup infrastructure discovery to identify targets"
level: high