ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary


攻击者可能会在获取访问权限后尝试枚举系统上运行的云服务。这些方法可能会有所不同,具体取决于它是平台即服务(PaaS),基础架构即服务(IaaS)还是软件即服务(SaaS)。各种云提供商中都存在许多不同的服务,其中可能包括持续集成和持续交付(CI / CD),Lambda函数,Azure AD等。攻击者可能会尝试发现有关在整个环境中启用的服务的信息。


An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ depending on if it's platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many different services exist throughout the various cloud providers and can include continuous integration and continuous delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries may attempt to discover information about the services enabled throughout the environment.

Pacu, an open source AWS exploitation framework, supports several methods for discovering cloud services.


ID编号: T1526

策略: 披露

平台: AWS,GCP,Azure,Azure AD,Office 365,SaaS

所需权限: user

数据源: Azure活动日志,Stackdriver日志,AWS CloudTrail日志



This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.




Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.