security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
889efd1663f0781e110f32e8e81e88a311e6c500
blue-team-tools/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml
T
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
2023-10-12 13:32:24 +02:00

31 lines
1.1 KiB
YAML
Raw Blame History

title: Potential Bucket Enumeration on AWS
id: f305fd62-beca-47da-ad95-7690a0620084
related:
- id: 4723218f-2048-41f6-bcb0-417f2d784f61
type: similar
status: experimental
description: Looks for potential enumeration of AWS buckets via ListBuckets.
references:
- https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
- https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
- https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023/01/06
modified: 2023/04/28
tags:
- attack.discovery
- attack.t1580
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 's3.amazonaws.com'
eventName: 'ListBuckets'
filter:
type: 'AssumedRole'
condition: selection and not filter
falsepositives:
- Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
level: low
Reference in New Issue View Git Blame Copy Permalink