-
Notifications
You must be signed in to change notification settings - Fork 517
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
new rule 'AWS S3 Unauthenticated Bucket Listing by Rare Source'
- Loading branch information
1 parent
2ff2965
commit 444027b
Showing
1 changed file
with
146 additions
and
0 deletions.
There are no files selected for viewing
146 changes: 146 additions & 0 deletions
146
rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
[metadata] | ||
creation_date = "2024/12/17" | ||
integration = ["aws"] | ||
maturity = "production" | ||
updated_date = "2024/12/17" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Identifies AWS CloudTrail events where an unauthenticated source is attempting to list objects in an S3 bucket. This | ||
activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing | ||
sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to list objects in an | ||
S3 bucket without authentication. This is a [New | ||
Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it | ||
will only trigger once for each unique value of the `source.address` field that has not been seen making this API | ||
request within the last 7 days. This field contains the IP address of the source making the request. | ||
""" | ||
from = "now-9m" | ||
index = ["filebeat-*", "logs-aws.cloudtrail*"] | ||
language = "kuery" | ||
license = "Elastic License v2" | ||
name = "AWS S3 Unauthenticated Bucket Listing by Rare Source" | ||
note = """## Investigating AWS S3 Unauthenticated Bucket Listing by Rare Source | ||
This rule detects attempts to list objects in an AWS S3 bucket from an unauthenticated source. This activity may indicate a misconfigured S3 bucket policy that allows unauthorized public access. Adversaries can exploit this misconfiguration to gather information about the bucket contents using tools or scripts. | ||
The rule triggers when a rare IP address, not seen in the past 7 days, attempts to list S3 bucket objects without authentication. | ||
### Possible Investigation Steps | ||
1. **Identify the Source of the Request**: | ||
- Review the `source.address` field to determine the IP address of the source. | ||
- Check the `source.geo` field for geographic details associated with the IP. | ||
- Examine the `user_agent.original` field to determine the tool or method used for the request. | ||
2. **Review Bucket and Resource Access**: | ||
- Analyze the `aws.cloudtrail.resources.arn` field to identify the bucket being accessed. | ||
- Inspect `aws.cloudtrail.request_parameters` to verify the bucket name and API call details. | ||
- Confirm that the `event.action` is `ListObjects` and that `event.outcome` indicates a successful or failed attempt. | ||
3. **Check for Additional Activity**: | ||
- Correlate the `source.address` with other AWS CloudTrail events to see if this IP has performed additional actions. | ||
- Investigate for follow-up actions, such as `GetObject` API calls, which may indicate data exfiltration. | ||
4. **Assess S3 Bucket Configuration**: | ||
- Review the bucket policy and Access Control List (ACL) to identify overly permissive access, such as public or anonymous permissions. | ||
- Check for policies that include unrestricted principals (`Principal: *`) or allow public access settings. | ||
5. **Identify Patterns and Context**: | ||
- Evaluate whether the activity aligns with legitimate use, such as testing or known automation. | ||
- Cross-reference the bucket activity with other access attempts in the same timeframe to identify potential patterns or anomalies. | ||
### False Positive Analysis | ||
- **Legitimate Public Access**: Some S3 buckets may intentionally allow public access for specific use cases. Confirm the bucket’s intended configuration with its owner. | ||
- **Automated Scans or Security Tools**: Public scanners or legitimate tools may access publicly exposed S3 buckets, triggering this rule. Validate the nature of the access. | ||
### Response and Remediation | ||
1. **Immediate Action**: | ||
- Restrict or remove public access to the affected S3 bucket. | ||
- Update the bucket policy and ensure that access is limited to trusted entities. | ||
- Enable AWS S3 Block Public Access settings to prevent further exposure. | ||
- Monitor for any additional actions or API calls from the source IP. | ||
2. **Enhance Monitoring**: | ||
- Enable detailed logging and monitoring for all S3 buckets to detect similar events in the future. | ||
- Configure real-time alerts for unauthenticated or public API calls to sensitive S3 buckets. | ||
3. **Review Security Configuration**: | ||
- Audit S3 bucket policies and ACLs across your environment to ensure they follow AWS security best practices. | ||
- Remove overly permissive policies and restrict access to trusted principals only. | ||
4. **Analyze for Potential Impact**: | ||
- Investigate whether the unauthenticated access attempt was followed by additional suspicious activity. | ||
- Review the data stored in the bucket to assess the potential risk of data exposure. | ||
### Additional Resources | ||
- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) | ||
- [AWS CloudTrail Best Practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-best-practices.html) | ||
- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) | ||
""" | ||
references = [ | ||
"https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/", | ||
] | ||
risk_score = 47 | ||
rule_id = "5d876294-bcb2-11ef-bd29-f661ea17fbce" | ||
severity = "medium" | ||
tags = [ | ||
"Domain: Cloud", | ||
"Data Source: AWS", | ||
"Data Source: Amazon Web Services", | ||
"Data Source: Amazon S3", | ||
"Use Case: Asset Visibility", | ||
"Resources: Investigation Guide", | ||
"Tactic: Collection", | ||
] | ||
timestamp_override = "event.ingested" | ||
type = "new_terms" | ||
|
||
query = ''' | ||
event.dataset:"aws.cloudtrail" | ||
and event.provider:"s3.amazonaws.com" and event.action:"ListObjects" | ||
and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown") | ||
and cloud.account.id: "anonymous" | ||
''' | ||
|
||
|
||
[[rule.threat]] | ||
framework = "MITRE ATT&CK" | ||
[[rule.threat.technique]] | ||
id = "T1530" | ||
name = "Data from Cloud Storage" | ||
reference = "https://attack.mitre.org/techniques/T1530/" | ||
|
||
|
||
[rule.threat.tactic] | ||
id = "TA0009" | ||
name = "Collection" | ||
reference = "https://attack.mitre.org/tactics/TA0009/" | ||
|
||
[rule.investigation_fields] | ||
field_names = [ | ||
"@timestamp", | ||
"cloud.account.id", | ||
"aws.cloudtrail.user_identity.type", | ||
"source.address", | ||
"user_agent.original", | ||
"aws.cloudtrail.resources.arn", | ||
"event.action", | ||
"event.outcome", | ||
"cloud.region", | ||
"aws.cloudtrail.request_parameters", | ||
] | ||
|
||
[rule.new_terms] | ||
field = "new_terms_fields" | ||
value = ["source.address"] | ||
[[rule.new_terms.history_window_start]] | ||
field = "history_window_start" | ||
value = "now-7d" | ||
|
||
|