云服务发现是攻击者通过云平台API接口枚举计算实例、存储服务、安全组件等资源信息的关键侦察技术,为后续横向移动、权限提升和数据窃取提供情报支撑。防御方通常通过监控异常API调用模式(如高频List操作)、分析非常规权限使用(只读账户执行写操作)以及检测非常规地理来源请求等手段进行防护。云原生安全工具(如AWS GuardDuty、Azure Security Center)可基于机器学习建立API行为基线,识别偏离正常模式的侦察行为。
面对日益完善的云安全防护体系,攻击者发展出深度结合云环境特性的隐蔽侦察技术,通过身份伪装、流量融合和跨云协同等策略,将恶意探测行为解构为符合云平台正常交互模式的微操作,在维持侦察效能的同时实现"隐身"于海量合法API流量中。
现有云服务发现匿迹技术的核心在于多维度的合法化重构与系统特性利用。攻击者首先突破传统身份边界,通过窃取或构造合法凭证赋予侦察行为表面合规性;其次利用云环境固有的分布式特性,将集中式探测任务分解为跨租户、跨区域、跨平台的离散请求,规避基于单点行为分析的检测机制;最后深度模仿云原生应用的交互模式,在协议字段、调用频率、数据量级等维度与正常业务流量保持高度一致。具体而言:合法身份低频查询技术通过精确的节奏控制实现"低振幅"持续侦察;多租户API流量混淆利用云内网络加密与流量聚合特性实现协议级隐蔽;跨云分布式探测则通过攻击链路的生态级分散破坏防御方的全局视野。这些技术的共性在于将攻击行为深度嵌入云服务架构,利用平台固有特性作为天然掩护。
匿迹技术的演进迫使防御方从单一云环境监控转向多云威胁情报协同,需构建跨平台行为关联分析能力,并研发基于API调用语义理解的检测模型。同时,云服务提供商需强化身份凭证的生命周期管理,实施细粒度API访问策略,并通过零信任架构降低横向侦察的潜在影响。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过精确复制合法API请求的协议特征与交互模式,将云服务发现行为伪装成常规运维操作。例如使用与云管理工具相同的User-Agent头字段,或模仿CI/CD流水线的资源查询节奏。这种深度协议模拟使得恶意请求在流量特征层面与合法操作无法区分,规避基于规则匹配的检测系统。
利用云平台内建的TLS加密通信机制,所有API请求响应内容均以密文传输,防御方无法直接解析具体操作参数。攻击者进一步通过分片请求、字段混淆等手段,将关键侦察指令隐藏在常规管理操作中,使得即便解密单次通信也难以识别攻击意图。
通过跨云平台、跨区域的分布式探测架构,将侦察行为分散到多个管理域和时段。低频请求策略结合各云服务商的API速率限制特性,使单点活动频率始终低于检测阈值。攻击特征被稀释在云生态的全局流量中,传统基于时间窗口统计或地理聚集分析的检测方法失效。
| ID | Name | Description |
|---|---|---|
| S0677 | AADInternals |
AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.[1] |
| S1091 | Pacu |
Pacu can enumerate AWS services, such as CloudTrail and CloudWatch.[2] |
| S0684 | ROADTools |
ROADTools can enumerate Azure AD applications and service principals.[3] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0025 | Cloud Service | Cloud Service Enumeration |
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor for newly constructed logon behavior that may attempt to enumerate the cloud services running on a system after gaining access. Look for suspicious Applications and accounts authenticating to the Windows Azure Service Management API using User Agents values attributed to scripting utilities such as python or Powershell. Analytic 1 - Applications or accounts with unusual User Agents, anomalous IP addresses, unexpected locations, and usernames
|