T1580: Cloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.[1][2][3][4] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project [5], and Azure's CLI command az vm list lists details of virtual machines.[6] In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.[7]
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[8] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[9]An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. [10] Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
Analyst context for executives and security teams
Cloud Infrastructure Discovery is the cloud equivalent of an intruder asking, “What do I have access to, and what is worth touching next?” In an IaaS environment, discovery of virtual machines, snapshots, storage buckets, databases, permissions, and access-block settings can turn a single compromised cloud credential into informed movement through the environment. For leaders, the issue is not just enumeration; it is whether the organization can prove who queried cloud resources, from where, and whether that activity fits the user’s role.
Executive priority
Prioritize this behavior as an identity and cloud visibility control question. If compromised access keys can enumerate compute, storage, and database resources without timely detection, responders may not know the attacker’s scope, which assets were exposed to follow-on action, or whether configuration changes such as public bucket access are possible. This technique supports risk decisions around least privilege, account lifecycle management, cloud audit logging, SOC monitoring, and incident scoping.
Technical view
ATT&CK places T1580 in the Discovery tactic for IaaS. The official description highlights provider APIs and CLIs such as AWS DescribeInstances, ListBuckets, HeadBucket, GetPublicAccessBlock, DescribeDBInstances, GCP gcloud compute instances list, and Azure az vm list. MITRE does not provide a detection section, so teams should validate coverage against cloud control-plane activity and identity context rather than relying on endpoint-only telemetry. Relationship context includes DET0169 as a detection strategy and M1018 User Account Management as mitigation, with observed use relationships to groups Scattered Spider and Storm-0501 and software Pacu and TruffleHog.
Likely telemetry
- Cloud control-plane audit logs for API calls and CLI-driven requests in IaaS environments
- Identity and access records showing authenticated user, role, access key, session, source location, and time
- Compute inventory query events for instances, virtual machines, snapshots, and related metadata
- Storage enumeration and permission-check events such as bucket listing, bucket existence checks, and public access block retrieval
- Database infrastructure query events such as database instance description requests
Detection direction
- Baseline normal resource-enumeration behavior for administrators, automation, inventory tools, and security tooling before alerting on volume alone.
- Look for unusual combinations of discovery across compute, storage, and database services by the same identity or access key, especially when the identity does not normally perform infrastructure inventory.
- Correlate enumeration with identity risk signals such as newly used access keys, unusual source locations, recent credential exposure indicators, or privilege changes where local telemetry supports it.
- Tune false positives for legitimate cloud management, backup, asset inventory, and compliance-scanning processes.
- Use relationship context to validate whether DET0169-aligned logic exists, but do not assume coverage unless the required cloud audit logs are enabled and retained.
Mitigation priorities
- Start with M1018 User Account Management: enforce least privilege so users and access keys can only enumerate resources required for their role.
- Review account creation, modification, deactivation, and privilege lifecycle processes for cloud identities and access keys.
- Limit broad read/list/describe permissions where business workflows do not require them.
- Ensure cloud audit logging is enabled, retained, and accessible to SOC and incident response teams for IaaS control-plane activity.
- Maintain an authoritative cloud asset inventory so suspicious discovery can be compared against expected administrative behavior.
Analyst notes and limits
This object is most useful as a validation prompt for cloud IAM, logging, and SOC detection engineering. The supplied ATT&CK content distinguishes this from Cloud Service Discovery: T1580 is about discovering components inside services, such as instances, buckets, snapshots, and databases, rather than merely identifying which cloud services exist. The relationship to User Account Management makes privilege reduction and account lifecycle discipline a primary control path.
MITRE provides no official detection text for this technique in the supplied object, so detection guidance must be validated against local cloud provider logs, IAM design, and normal administrative workflows. The supplied relationships indicate that certain groups and tools use the technique, but they do not prove current activity against any specific organization or environment.
Cloud Infrastructure Discovery
An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, the HeadBucket API to determine a bucket’s existence along with access permissions of the request sender, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket.[1][2][3][4] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project [5], and Azure's CLI command az vm list lists details of virtual machines.[6] In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through Wordlist Scanning.[7]
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.[8] The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.[9]An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. [10] Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in Cloud Service Discovery, this technique focuses on the discovery of components of the provided services rather than the services themselves.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
S9009: TruffleHog
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]
S1091: Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | aa33a4c9e71f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Amazon Describe Instance
Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
Open source URL -
[2]
Amazon Describe Instances API
Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.
Open source URL -
[3]
AWS Get Public Access Block
Amazon Web Services. (n.d.). Retrieved May 28, 2021.
Open source URL -
[4]
AWS Head Bucket
Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022.
Open source URL -
[5]
Google Compute Instances
Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.
Open source URL -
[6]
Microsoft AZ CLI
Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.
Open source URL -
[7]
Malwarebytes OSINT Leaky Buckets - Hioureas
Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.
Open source URL -
[8]
Expel IO Evil in AWS
A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.
Open source URL -
[9]
Mandiant M-Trends 2020
Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.
Open source URL -
[10]
AWS Describe DB Instances
Amazon Web Services. (n.d.). Retrieved May 28, 2021.
Open source URL -
[11]
mitre-attack T1580Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.