Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0908: Analytic 0908

Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI).

EnterpriseAN0908AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting cloud infrastructure discovery activity: someone using cloud CLIs or SDKs to list network interfaces, VPCs, subnets, or peering connections in an IaaS environment. For leaders, the value is not just detecting a command; it is confirming whether the organization can see when identities are mapping cloud network topology, which can be important during incident triage, cloud exposure reviews, and validation of least-privilege access.

Executive priority

Prioritize this as a cloud visibility and identity-governance control question. If defenders cannot tell who enumerated cloud networking resources, from where, and under what identity, incident responders may struggle to distinguish legitimate administration from suspicious reconnaissance. This analytic can support cloud security assurance, audit evidence around monitoring, and access review decisions for accounts or roles with broad read permissions across IaaS networking resources.

Technical view

The supplied ATT&CK object defines an IaaS detection analytic for enumeration of cloud network interfaces, VPCs, subnets, and peering connections using CLI or SDK tooling such as AWS CLI, Azure CLI, or GCloud CLI. Because no official detection logic, tactics, or relationship context is provided, SOC teams should treat this as a validation requirement: confirm that cloud control-plane/API activity for network inventory operations is logged, normalized to identity, source, user agent/tooling where available, and correlated with expected administrative workflows.

Likely telemetry

  • Cloud control-plane/API audit logs for IaaS networking resource enumeration
  • Identity context for the principal, role, user, service account, or federated session performing the activity
  • Source IP, geolocation or network origin, device context, and session metadata where available
  • User agent, CLI, SDK, or automation indicators where logged by the cloud provider
  • Resource metadata for network interfaces, VPCs, subnets, and peering connections queried

Detection direction

  • Validate that enumeration/read operations for IaaS networking resources are actually collected and retained across relevant cloud accounts, projects, subscriptions, and regions.
  • Baseline legitimate administrative and automation patterns before alerting on enumeration volume alone; cloud inventory tools can create benign high-volume activity.
  • Tune for unusual identity, source, time, region, account scope, or sudden expansion in the set of networking resources queried.
  • Correlate CLI/SDK-style access with identity risk indicators such as newly created credentials, unusual federation sessions, or roles that do not normally perform network discovery, if such telemetry is available locally.
  • Document blind spots where provider audit logs are disabled, not centralized, filtered, or lack user-agent/session details; the ATT&CK object does not provide detection logic to compensate for missing logs.

Mitigation priorities

  • Ensure cloud audit logging for IaaS control-plane activity is enabled, centralized, and retained at a duration useful for investigation and compliance evidence.
  • Review least-privilege access for identities that can enumerate broad networking scope, especially cross-account, cross-project, or cross-subscription roles.
  • Separate expected inventory/automation identities from human administration so detection rules can distinguish routine discovery from unusual sessions.
  • Use cloud security posture and IAM review processes to reduce unnecessary visibility into sensitive network topology.
  • Prepare IR playbooks to answer who enumerated what, from where, using which identity, and whether follow-on activity occurred.
Analyst notes and limits

This is a detection analytic object, not a technique description. The object is scoped to IaaS and describes cloud network enumeration via CLI or SDKs. No ATT&CK tactics, related techniques, procedure examples, or official detection logic were supplied, so the defensive value comes from using it as a coverage check for cloud audit telemetry and identity-context correlation.

The source fields do not provide rule logic, event names, provider-specific API actions, severity, adversary attribution, active exploitation evidence, or relationship context. Local cloud architecture, logging configuration, IAM model, and approved automation patterns are required to turn this analytic into reliable detections.

Official MITRE ATT&CK definition

Analytic 0908

Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
562767669c8dd6d2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 562767669c8d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0908
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use