Potential Bucket Enumeration on AWS
Looks for potential enumeration of AWS buckets via ListBuckets.
Sigma rule (View on GitHub)
1title: Potential Bucket Enumeration on AWS
2id: f305fd62-beca-47da-ad95-7690a0620084
3related:
4 - id: 4723218f-2048-41f6-bcb0-417f2d784f61
5 type: similar
6status: test
7description: Looks for potential enumeration of AWS buckets via ListBuckets.
8references:
9 - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
10 - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
11 - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
12author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
13date: 2023-01-06
14modified: 2024-07-10
15tags:
16 - attack.discovery
17 - attack.t1580
18logsource:
19 product: aws
20 service: cloudtrail
21detection:
22 selection:
23 eventSource: 's3.amazonaws.com'
24 eventName: 'ListBuckets'
25 filter:
26 userIdentity.type: 'AssumedRole'
27 condition: selection and not filter
28falsepositives:
29 - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
30level: low
References
-
Hacking resources and cheat sheets. References, tools, scripts, tutorials, and other resources that help offensive and defensive security professionals. - Lifka/hacking-resources
Read More -
If you have RCE (remote code execution) on an AWS EC2 instance, you may in some cases be able perform pivot attacks which abuse a role a...
Read More -
We hackers love cheat sheets so here are mine for AWS IAM, EC2, S3 Buckets and Lambda Functions. In Part I we showed what approaches you can take for enumerating an AWS environment. This time, we&#…
Read More
Related rules
- Potential Backup Enumeration on AWS
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock