Cloud Service Enumeration (8c826308-2760-492f-9e36-4f0f7e23bcac)
Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like AWS ECS ListServices, Azure ListAllResources, or Google Cloud ListInstances. Examples:
AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration. - Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes. - Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation. - Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.
This data component can be collected through the following measures:
Enable Cloud Activity Logging
- Ensure cloud service logs are enabled for API calls and resource usage.
- Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries.
Centralize Logs in a SIEM
- Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel).
- Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration.
Use Native Cloud Security Tools
- Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center.
- Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user.
Implement Network Flow Logging
- Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity.
- Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane.
API Access Monitoring
- Monitor API keys and tokens used for enumeration to identify misuse or compromise.
- Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely.