Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1594: Analytic 1594

Detection of suspicious enumeration of cloud storage objects via API calls such as AWS S3 ListObjectsV2, Azure List Blobs, or GCP ListObjects. Correlate access with account role, user context, and prior authentication activity to identify anomalous usage patterns (e.g., unusual account, unexpected regions, or large-scale enumeration in short time windows).

EnterpriseAN1594AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting suspicious cloud storage object enumeration, such as listing many objects in AWS S3, Azure Blob Storage, or Google Cloud Storage through APIs. For leaders, the practical issue is visibility: broad or unusual listing activity can indicate that an identity, role, or workload is being used in a way that may expose sensitive data locations before any clear data access or movement is confirmed.

Executive priority

Prioritize this as a cloud data visibility and identity-governance control. Security leaders should ask whether cloud API activity for storage listing is centrally logged, retained, and correlated with user, role, region, and recent authentication context. This supports incident triage, cloud security assurance, and compliance evidence around access monitoring for object storage.

Technical view

SOC and detection teams should validate monitoring for IaaS cloud storage listing APIs, including AWS S3 ListObjectsV2, Azure List Blobs, and GCP ListObjects where applicable. The analytic direction is behavioral: correlate object enumeration with account role, user context, prior authentication, expected regions, and enumeration volume over short time windows. Because no ATT&CK tactic or relationship context is supplied, teams should avoid over-scoping the alert and instead use local baselines to distinguish administrative inventory, backup, indexing, or application behavior from anomalous enumeration.

Likely telemetry

  • Cloud control-plane/API audit logs for object storage listing operations
  • Identity and role context for the calling account, user, service principal, or workload identity
  • Authentication history preceding the storage enumeration activity
  • Region, bucket/container, project/account/subscription, and source context associated with API calls
  • Counts and timing of listed objects or listing API calls over short windows

Detection direction

  • Confirm that storage listing API events are collected across the relevant IaaS environments named in the analytic: AWS, Azure, and GCP where used.
  • Baseline normal enumeration patterns by role, workload, region, and business process before treating high-volume listing as suspicious.
  • Tune for unusual account usage, unexpected regions, and large-scale enumeration in short time windows, as described by the official analytic.
  • Correlate with prior authentication activity to identify impossible, new, or unusual access context, while accounting for legitimate automation.
  • Document blind spots where object storage API logs are not enabled, not centralized, or lack identity/session context.

Mitigation priorities

  • Ensure cloud audit logging is enabled and retained for object storage API activity.
  • Review least-privilege access to storage listing permissions for users, roles, service principals, and workload identities.
  • Reduce unnecessary broad listing permissions where business workflows do not require them.
  • Use identity governance and access review processes to validate that accounts capable of large-scale enumeration are expected and monitored.
  • Prepare incident response procedures for investigating suspicious storage enumeration, including account context, affected storage locations, and follow-on access review.
Analyst notes and limits

The supplied object is a detection analytic for IaaS platforms and focuses on suspicious cloud storage object enumeration through API calls. It does not provide an official detection implementation, ATT&CK tactics, or relationship context, so local cloud architecture, logging configuration, and identity model are required to operationalize it.

This take is limited to the official STIX fields, external reference, and empty relationship context supplied. It does not infer active exploitation, attribution, impact, or guaranteed detection coverage. Cloud-provider-specific implementation details must be validated against the organization’s own environments.

Official MITRE ATT&CK definition

Analytic 1594

Detection of suspicious enumeration of cloud storage objects via API calls such as AWS S3 ListObjectsV2, Azure List Blobs, or GCP ListObjects. Correlate access with account role, user context, and prior authentication activity to identify anomalous usage patterns (e.g., unusual account, unexpected regions, or large-scale enumeration in short time windows).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0426cc2494809399...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0426cc249480…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1594
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use