DET0169 Detection Strategy for Cloud Infrastructure Discovery

Item	Value
ID	DET0169
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1580 (Cloud Infrastructure Discovery)

Analytics

IaaS

AN0481

Defenders should monitor for suspicious enumeration of cloud infrastructure components via APIs or CLI tools. Observable behaviors include repeated listing or description operations for compute instances, snapshots, storage buckets, and volumes. From a defender’s perspective, risky activity is often identified by new or untrusted identities making discovery calls (e.g., DescribeInstances, ListBuckets, az vm list, gcloud compute instances list), enumeration from unusual geolocations or IPs, or rapid multi-service discovery in sequence. Correlating discovery API usage with later snapshot creation or instance modification provides further context of adversary behavior.

Log Sources

Data Component	Name	Channel
Instance Metadata (DC0086)	AWS:CloudTrail	DescribeInstances
Cloud Storage Enumeration (DC0017)	AWS:CloudTrail	ListBuckets
Instance Enumeration (DC0075)	AWS:CloudTrail	DescribeDBInstances

Mutable Elements

Field	Description
UserContext	Identity performing the discovery operation; tuned to filter known administrative or inventory accounts.
GeoLocation	Source region or IP of discovery requests; tuned to expected operational regions to detect unusual access.
TimeWindow	Correlation period to link enumeration calls with subsequent provisioning or exfiltration activity.
APIThreshold	Rate or volume of discovery calls; tuned to suppress noise from inventory management tools.