Potential Storage Enumeration on AWS
Detects potential enumeration activity targeting AWS storage
Sigma rule (View on GitHub)
1title: Potential Storage Enumeration on AWS
2id: 4723218f-2048-41f6-bcb0-417f2d784f61
3related:
4 - id: f305fd62-beca-47da-ad95-7690a0620084
5 type: similar
6status: unsupported
7description: Detects potential enumeration activity targeting AWS storage
8references:
9 - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
10author: Janantha Marasinghe
11date: 2022/12/13
12modified: 2023/03/24
13tags:
14 - attack.discovery
15 - attack.t1619
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventSource: 's3.amazonaws.com'
22 eventName:
23 - 'ListBuckets'
24 - 'GetBucketCors'
25 - 'GetBucketInventoryConfiguration'
26 - 'GetBucketPublicAccessBlock'
27 - 'GetBucketMetricsConfiguration'
28 - 'GetBucketPolicy'
29 - 'GetBucketTagging'
30 timeframe: 10m
31 condition: selection | count() > 5
32falsepositives:
33 - Unknown
34level: medium
References
-
A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.
Read More
Related rules
- Account Enumeration on AWS
- Enumeration via the Global Catalog
- Network Scans Count By Destination IP
- Network Scans Count By Destination Port
- Potential Backup Enumeration on AWS