“to be management events ( for example, listviews, listindexes, getindex, and search ) and thus were logged by default, listresources was considered a data event. for this reason, it was the ideal avenue for threat actors to quietly enumerate resources in an account. after we shar…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
85%
“- explorer - 2 : listresources api call was classified as a data event, requiring explicit customer configuration to log to cloudtrail. without this configuration, any activity involving this api call would go unnoticed in an aws environment. when invoked with no additional param…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
81%
“an aws environment, threat actors typically enumerate what resources are contained in the account and what resources they can access. this process is noisy, with multiple listx and describey api calls generating suspicious cloudtrail events and alerts. if the threat actor was not…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
80%
“help identify a threat actor who is attempting to use resource explorer for enumeration purposes. if your organization uses resource explorer, you can reduce false positives from alerting on the resource - explorer - 2 : createindex api call by filtering for calls that use long -…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
78%
“- 10 - 17 ", " statement " : [ { " sid " : " statement1 ", " effect " : " deny ", " action " : [ " resource - explorer - 2 : * " ], " resource " : [ " * " ] } ] } it is worth noting that employing this scp will prevent you from using resource explorer in accounts that are associa…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
74%
“enumerating aws the quiet way : cloudtrail - free discovery with resource explorer as security researchers, we strive to ideate, identify, and document new methods of attacking cloud services and resources. we build detections for these techniques into our products to proactively…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
72%
“##s ’ s commitment to enhancing the security of its platform and better enabling security teams to identify suspicious activities in their environments. timeline - april 24, 2025 : datadog security research contacts aws with a concern that resource - explorer - 2 : listresources …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
53%
“actors leveraging resource explorer for resource enumeration purposes. long - lived access keys tend to carry a higher risk of being associated with a compromise. - aws listresources executed by new principal identity - aws listresources by long term access key - aws createindex …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
52%
“new ways to attack cloud environments. this research highlights how adversaries can use alternative means of enumerating resources in an aws environment without that activity being directly associated with the identities they compromise. aws ’ s proactive response in reclassifyin…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
49%
“", " resourcetype " : " iam : role ", " service " : " iam " }, { " arn " : " arn : aws : iam : : 111111111111 : user / iam - user - cred - box ", " lastreportedat " : " 2025 - 04 - 20t04 : 49 : 17 + 00 : 00 ", " owningaccountid " : " 111111111111 ", " properties " : [ ], " region…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1526Cloud Service Discovery
42%
“##esis streams, or amazon dynamodb tables, using an internet search engine - like experience. ” resource explorer works by using a service - linked role named awsserviceroleforresourceexplorer that regularly enumerates aws resources in the account and adds them to an index. this …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1526Cloud Service Discovery
33%
“##s ’ s commitment to enhancing the security of its platform and better enabling security teams to identify suspicious activities in their environments. timeline - april 24, 2025 : datadog security research contacts aws with a concern that resource - explorer - 2 : listresources …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1580Cloud Infrastructure Discovery
31%
“##esis streams, or amazon dynamodb tables, using an internet search engine - like experience. ” resource explorer works by using a service - linked role named awsserviceroleforresourceexplorer that regularly enumerates aws resources in the account and adds them to an index. this …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1552.005Cloud Instance Metadata API
31%
“an aws environment, threat actors typically enumerate what resources are contained in the account and what resources they can access. this process is noisy, with multiple listx and describey api calls generating suspicious cloudtrail events and alerts. if the threat actor was not…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1526Cloud Service Discovery
30%
“enumerating aws the quiet way : cloudtrail - free discovery with resource explorer as security researchers, we strive to ideate, identify, and document new methods of attacking cloud services and resources. we build detections for these techniques into our products to proactively…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.