Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

Sigma rule (View on GitHub)

 1title: Potential Bucket Enumeration on AWS
 2id: f305fd62-beca-47da-ad95-7690a0620084
 3related:
 4    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
 5      type: similar
 6status: test
 7description: Looks for potential enumeration of AWS buckets via ListBuckets.
 8references:
 9    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
10    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
11    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
12author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
13date: 2023-01-06
14modified: 2024-07-10
15tags:
16    - attack.discovery
17    - attack.t1580
18logsource:
19    product: aws
20    service: cloudtrail
21detection:
22    selection:
23        eventSource: 's3.amazonaws.com'
24        eventName: 'ListBuckets'
25    filter:
26        userIdentity.type: 'AssumedRole'
27    condition: selection and not filter
28falsepositives:
29    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
30level: low

References

Related rules

to-top