T1526: Cloud Service Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2]
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4]
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Log.
Analyst context for executives and security teams
Cloud Service Discovery is the reconnaissance an intruder performs after obtaining cloud access to understand what services, identities, applications, resources, policies, security tools, and logging capabilities are available. For leaders, this matters because discovery is often the point where a cloud incident can pivot from a single compromised identity into broader targeting of data, credentials, defenses, or logging.
Executive priority
Prioritize this technique as a cloud and identity readiness issue: if teams cannot see unusual enumeration across IaaS, SaaS, Office Suite, and identity provider environments, they may miss the early decision-making phase of an intrusion. Executives should ask whether cloud control-plane logs, identity audit logs, and SaaS administration activity are retained, reviewed, and usable as incident evidence. This also supports audit and resilience discussions because the same visibility needed to prove administrative accountability is needed to investigate cloud discovery behavior.
Technical view
ATT&CK lists this as an enterprise discovery technique for IaaS, Identity Provider, Office Suite, and SaaS platforms. The object specifically references enumeration through Azure Resource Manager API, Microsoft Graph/Azure AD Graph APIs, and tools or frameworks such as Stormspotter, Pacu, AADInternals, ROADTools, and TruffleHog in related context. SOC and IR teams should validate whether they can identify broad or unusual cloud service/resource enumeration by identities, applications, or sessions, especially where enumeration is followed by access to data, credentials, security services, or logging services. Official ATT&CK detection text is not provided, but a related ATT&CK detection strategy, DET0402, is linked to this technique.
Likely telemetry
- Cloud control-plane/API activity logs for resource and service enumeration
- Identity provider audit logs, including application, directory, group, policy, and role-related queries
- SaaS and Office Suite administrative audit logs
- IaaS account activity logs, including calls that list services, resources, policies, logging, and security configurations
- Authentication and session context for the identity performing enumeration
Detection direction
- Validate coverage against DET0402 where available, but do not assume coverage because the ATT&CK object does not provide detection logic.
- Baseline normal administrative enumeration by cloud engineers, automation, inventory tools, compliance tools, and security platforms to reduce false positives.
- Look for breadth, novelty, and sequence: identities querying many services, policies, applications, management groups, or logging/security services outside their normal role or timing.
- Correlate discovery with prior authentication anomalies and follow-on access to credentials, data stores, security tooling, or cloud logging configurations.
- Pay attention to legitimate open-source or administrative frameworks named in ATT&CK relationships, including AADInternals, ROADTools, Pacu, Stormspotter, and TruffleHog, while recognizing that tool naming alone is not reliable evidence.
Mitigation priorities
- Enforce least-privilege access for cloud and identity APIs so routine users and workloads cannot enumerate more services than required.
- Centralize and retain cloud control-plane, identity provider, SaaS, and Office Suite audit logs as incident-response evidence.
- Review permissions for applications, service principals, automation identities, and administrative roles that can list resources, policies, applications, or logging/security services.
- Protect logging and security services from unauthorized discovery or change through role separation and change monitoring.
- Include cloud service discovery scenarios in incident-response playbooks, especially triage steps for identity scope, affected services, and possible follow-on targeting.
Analyst notes and limits
The main defensive value is not blocking every enumeration event; many are legitimate. The value is knowing which identities are allowed to enumerate broadly, whether the behavior is normal for them, and whether enumeration is connected to later access attempts or changes. The relationship context shows this behavior is associated with multiple public tools and one ATT&CK group entry, so defenders should treat it as a broadly reusable behavior rather than a single-tool signature problem.
The official ATT&CK object does not include detection text or mitigations. This take is limited to the supplied ATT&CK description, external references, platforms, tactics, and relationships. Local cloud providers, enabled services, logging configuration, identity model, and normal administrative workflows are required to determine actual risk and detection fidelity.
Cloud Service Discovery
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2]
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4]
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Log.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
S0684: ROADTools
S9009: TruffleHog
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]
S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 02fa4f657516… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Azure - Resource Manager API
Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.
Open source URL -
[2]
Azure AD Graph API
Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.
Open source URL -
[3]
Azure - Stormspotter
Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.
Open source URL -
[4]
GitHub Pacu
Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.
Open source URL -
[5]
mitre-attack T1526Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.