Skip to content

DC0083 Cloud Service Enumeration

Item Value
ID DC0083
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail GetSecretValue
AWS:CloudTrail ssm:ListInventoryEntries
AWS:CloudTrail DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery
AWS:CloudTrail GetInstanceIdentityDocument or IMDSv2 token requests
AWS:CloudTrail DescribeUsers / ListUsers / GetUser
azure:ad SecretGet
azure:audit ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects
azure:signinlogs Graph API Query
gcp:secrets accessSecretVersion
m365:unified Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks
saas:adminapi ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities

Detection Strategy

ID Name Technique Detected
DET0430 Detect Credentials Access from Password Stores T1555
DET0130 Detect Unauthorized Access to Cloud Secrets Management Stores T1555.006
DET0402 Detection Strategy for Cloud Service Discovery T1526
DET0515 Detection Strategy for T1528 - Steal Application Access Token T1528
DET0587 Enumeration of User or Account Information Across Platforms T1087
DET0392 Multi-Platform Software Discovery Behavior Chain T1518