2023-01-06 17:36:08 -05:00
|
|
|
title: Potential Bucket Enumeration on AWS
|
|
|
|
|
id: f305fd62-beca-47da-ad95-7690a0620084
|
2023-01-07 13:13:48 +01:00
|
|
|
related:
|
|
|
|
|
- id: 4723218f-2048-41f6-bcb0-417f2d784f61
|
|
|
|
|
type: similar
|
2024-03-01 15:38:35 +01:00
|
|
|
status: test
|
2023-01-06 17:36:08 -05:00
|
|
|
description: Looks for potential enumeration of AWS buckets via ListBuckets.
|
|
|
|
|
references:
|
2023-01-07 13:13:48 +01:00
|
|
|
- https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
|
2023-01-06 17:36:08 -05:00
|
|
|
- https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
|
|
|
|
|
- https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
|
2023-04-28 11:12:30 +02:00
|
|
|
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2023-01-06
|
|
|
|
|
modified: 2024-07-10
|
2023-01-06 17:36:08 -05:00
|
|
|
tags:
|
|
|
|
|
- attack.discovery
|
|
|
|
|
- attack.t1580
|
|
|
|
|
logsource:
|
|
|
|
|
product: aws
|
|
|
|
|
service: cloudtrail
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2023-04-27 22:53:34 -07:00
|
|
|
eventSource: 's3.amazonaws.com'
|
2023-01-06 17:36:08 -05:00
|
|
|
eventName: 'ListBuckets'
|
|
|
|
|
filter:
|
2024-07-10 18:19:55 -04:00
|
|
|
userIdentity.type: 'AssumedRole'
|
2023-01-06 17:36:08 -05:00
|
|
|
condition: selection and not filter
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
|
|
|
|
|
level: low
|
