Detectionlowtest

Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christopher Peacock, SCYTHECreated Fri Jan 06Updated Wed Jul 10f305fd62-beca-47da-ad95-7690a0620084cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 's3.amazonaws.com'
        eventName: 'ListBuckets'
    filter:
        userIdentity.type: 'AssumedRole'
    condition: selection and not filter

False Positives

Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.

References

Resolving title…

github.com

Resolving title…

jamesonhacking.blogspot.com

Resolving title…

securitycafe.ro

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1580 · Cloud Infrastructure Discovery T1619 · Cloud Storage Object Discovery

Related Rules

Similar

4723218f-2048-41f6-bcb0-417f2d784f61

Rule not found

Rule Metadata

Rule ID

f305fd62-beca-47da-ad95-7690a0620084

Status

test

Level

low

Type

Detection

Created

Fri Jan 06

Modified

Wed Jul 10

Author

Christopher Peacock, SCYTHE

Path

rules/cloud/aws/cloudtrail/aws_enum_buckets.yml

Raw Tags

attack.discoveryattack.t1580attack.t1619

View on GitHub