Open-source discovery tools

In the Expanding Control phase, attackers leverage open-source discovery tools to systematically map and enumerate cloud services and resources within a compromised environment. Tools like Cartography, ScoutSuite, and CloudMapper provide attackers with sophisticated capabilities to visualize infrastructure relationships, assess permissions, and identify vulnerable assets across AWS, Azure, and GCP environments. These utilities can help adversaries build comprehensive network topology diagrams, locate misconfigured services, and discover unprotected storage buckets or exposed APIs that might contain sensitive data. Unlike more obvious scanning activities, these tools often operate using legitimate API calls with compromised credentials, making their usage difficult to distinguish from normal administrative operations. This enables attackers to gather critical intelligence about the cloud environment structure and identify potential escalation paths while maintaining a low detection profile, ultimately preparing for lateral movement or privilege escalation opportunities.