Skip to content

DET0578 Detection Strategy for Cloud Storage Object Discovery

Item Value
ID DET0578
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1619 (Cloud Storage Object Discovery)

Analytics

IaaS

AN1594

Detection of suspicious enumeration of cloud storage objects via API calls such as AWS S3 ListObjectsV2, Azure List Blobs, or GCP ListObjects. Correlate access with account role, user context, and prior authentication activity to identify anomalous usage patterns (e.g., unusual account, unexpected regions, or large-scale enumeration in short time windows).

Log Sources
Data Component Name Channel
Cloud Storage Enumeration (DC0017) AWS:CloudTrail ListObjectsV2
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
Mutable Elements
Field Description
TimeWindow Correlation window (e.g., multiple enumeration calls within 5 minutes) may indicate automated discovery versus normal user activity.
UserContext Expected service accounts and IAM roles that regularly enumerate storage; deviations may indicate suspicious activity.
RegionScope Unusual enumeration of buckets across multiple geographic regions in short succession may indicate adversary reconnaissance.