title: Cloud Storage Object Discovery (T1619)
id: df00tech-t1619
status: experimental
description: "This detection identifies adversary enumeration of cloud storage objects across AWS S3, Azure Blob Storage, and GCP Cloud Storage. Attackers use native cloud APIs (e.g., ListObjectsV2 for S3, List Blobs for Azure) to survey accessible buckets and containers, typically as a precursor to data staging or exfiltration. The detection looks for anomalous listing activity including high-volume object enumeration, access from unexpected identities or IPs, enumeration across multiple buckets in short time windows, and listing operations performed by service principals or IAM roles outside their expected behavioral baseline. Tools such as Pacu and Peirates are known to automate these enumeration workflows."
references:
  - https://attack.mitre.org/techniques/T1619/
  - https://df00tech.com/detections/T1619
author: df00tech
date: 2026/03/20
tags:
  - attack.t1619
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule"
  - "Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution"
  - "Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans"
  - DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
  - "Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis"
level: high