Info
ID: AT-EC001.001
Tactic: Expanding Control
Sub-techniques of: Cloud Service Discovery
Platforms: IaaS, K8s
API-based Resource Listing
API-based Resource Listing is a critical sub-technique within the Expanding Control phase, specifically under Cloud Service Discovery, where attackers leverage cloud service provider APIs to enumerate available resources, services, and configurations across a target environment. After gaining initial access to cloud infrastructure, adversaries utilize authenticated API calls through command-line interfaces (CLIs), software development kits (SDKs), or direct REST API requests to methodically discover assets across multiple cloud services. This discovery process typically involves querying management APIs with compromised credentials to identify resources such as virtual machines, storage accounts, databases, serverless functions, and network configurations that could be exploited for privilege escalation or lateral movement. The technique's power lies in its ability to operate within legitimate protocols and authenticated channels, making it difficult to distinguish from normal administrative activities without sophisticated behavioral analysis and properly implemented least-privilege access controls.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | Using the stolen AWS keys, the attackers enumerated IAM roles and S3 buckets via standard AWS API calls. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Grant principals only the minimal List*/Describe* permissions they need, enforce just-in-time elevation for cloud-CLI sessions, and rotate access keys rapidly so a stolen token cannot be abused to inventory the estate. |
| M1036 | Account Use Policies | Apply service-control/permission boundaries, conditional access (IP, region, time-of-day), and session-length limits so that resource-listing APIs can execute only from approved contexts and for short windows. |
| M1047 | Audit | Enable comprehensive cloud audit logs and continuously review for abnormal bursts of cross-service List calls—alerting when unused keys, new regions, or dormant accounts enumerate many resources. |
| M1040 | Behavior Prevention | Deploy Cloud Application Detection & Response (CADR) product that baseline per-application API behavior and automatically quarantine tokens or workloads generating high-volume or atypical enumeration sequences. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0025 | Cloud Service – Enumeration & Metadata | Identify bursts of Describe*, List*, Get* API calls that enumerate multiple resource classes from a principal that historically touches only a narrow service set. |
| DS0002 | User Account Authentication | Alert when a newly created access key, or one unused, performs high-volume read-only calls across regions. |
| DS0029 | Network Traffic Flow | Detect traffic from on-prem IP ranges to cloud control-plane endpoints in regions never before accessed by the tenant. |