T1619: Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [1] and List Blobs in Azure[2] .

EnterpriseT1619TechniqueObject v1.0 Modified May 12, 2026, 15:12 UTC (UTC+00:00)

Cloud Storage Object Discovery matters because listing objects in cloud storage is often how an intruder determines what data exists before deciding what to access next. For leaders, the key issue is not only whether storage buckets or containers are private, but whether the organization can prove who can enumerate object names, when they did it, and whether that activity was expected.

Executive priority

Prioritize this as a cloud governance and incident-readiness concern for IaaS environments. Object enumeration can expose the shape of sensitive data holdings and guide follow-on access attempts, so leaders should ask whether storage permissions follow least privilege, whether account lifecycle controls are enforced, and whether cloud audit evidence is sufficient for investigations, compliance reviews, and rapid containment decisions.

Technical view

This technique is an IaaS discovery behavior involving cloud provider APIs that enumerate stored objects, such as AWS ListObjectsV2 and Azure List Blobs. ATT&CK does not provide official detection text for this object, but it does identify a related detection strategy, DET0578. SOC and detection teams should validate that object-listing API activity is logged, attributable to a user/service account, and correlated with prior cloud infrastructure discovery where available. Relationship context also shows use by Pacu, Peirates, and TruffleHog, so defenders should treat unexpected enumeration by automation, service accounts, or security tooling identities as context-sensitive events requiring local baselining rather than automatic malicious classification.

Likely telemetry

Cloud provider audit logs for storage object listing APIs, including AWS ListObjectsV2 and Azure List Blobs equivalents
Object storage access logs showing list/enumeration requests, source identity, source network context, and target storage resource
IAM or user account activity logs showing which user, role, service account, or token performed enumeration
Cloud control plane logs showing discovery of storage services before object listing
Security tool or automation logs for approved inventory, backup, scanning, or secrets-discovery workflows that may legitimately enumerate objects

Detection direction

Validate that list-object operations are captured and retained for IaaS storage services; absence of official ATT&CK detection text means local telemetry confirmation is essential.
Baseline normal enumeration by administrators, applications, backup jobs, inventory systems, and approved scanning tools to reduce false positives.
Prioritize alerts where object listing is performed by newly created, dormant, deactivated-then-reactivated, overprivileged, or unusual service accounts.
Correlate storage object enumeration with cloud infrastructure discovery, changes in account privileges, or subsequent object access requests.
Review the related DET0578 detection strategy if available in your ATT&CK content pipeline, but do not assume coverage from the relationship alone.

Mitigation priorities

Apply User Account Management controls from M1018: enforce least privilege, maintain account lifecycle hygiene, and remove or reduce unnecessary storage enumeration rights.
Review permissions for users, roles, and service accounts that can list cloud storage objects, especially broadly scoped or inherited permissions.
Separate expected automation identities from human accounts so enumeration can be attributed and baselined reliably.
Ensure account creation, modification, and deactivation processes include review of cloud storage permissions.
Use logging retention and access review evidence to support incident response, audit readiness, and cloud security governance.

Analyst notes and limits

This object is a discovery technique, not an impact or exfiltration technique. Enumeration of object names may be legitimate in administration, backup, indexing, inventory, or security scanning workflows. The related software entries indicate that public tools can use this behavior, but the supplied fields do not support claims about active exploitation or specific victim exposure.

Official MITRE detection guidance is not provided in the supplied object. The take is limited to the IaaS platform, the discovery tactic, the cited cloud storage listing APIs, the M1018 mitigation relationship, and the listed software/detection-strategy relationships. Local cloud provider configuration, logging coverage, IAM design, and business-approved automation are required to determine severity and detection fidelity.

Official MITRE ATT&CK definition

Cloud Storage Object Discovery

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS [1] and List Blobs in Azure[2] .

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

S9009: TruffleHog

TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]

IaaSLinuxSaaS

S1091: Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[1]

IaaS

S0683: Peirates

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[1]

Containers

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1018: User Account Management Enterprise uses · Tool S9009: TruffleHog Enterprise detects · Detection Strategy DET0578: Detection Strategy for Cloud Storage Object Discovery Enterprise uses · Tool S1091: Pacu Enterprise uses · Tool S0683: Peirates Enterprise

Mitigations

Mitigation direction

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 1, 2021, 17:58 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 2500a3b93f7ccfa3...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`2500a3b93f7c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ListObjectsV2

Amazon - ListObjectsV2. Retrieved October 4, 2021.
Open source URL
[2]
List Blobs

Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.
Open source URL
[3]
mitre-attack T1619
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use