From 444027b94edf279fcae43c2f73a430b5b681a778 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 17 Dec 2024 15:42:42 -0500 Subject: [PATCH 1/3] new rule 'AWS S3 Unauthenticated Bucket Listing by Rare Source' --- ...ion_s3_unauthenticated_bucket_listing.toml | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml new file mode 100644 index 00000000000..72298574511 --- /dev/null +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml @@ -0,0 +1,146 @@ +[metadata] +creation_date = "2024/12/17" +integration = ["aws"] +maturity = "production" +updated_date = "2024/12/17" + +[rule] +author = ["Elastic"] +description = """ +Identifies AWS CloudTrail events where an unauthenticated source is attempting to list objects in an S3 bucket. This +activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing +sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to list objects in an +S3 bucket without authentication. This is a [New +Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it +will only trigger once for each unique value of the `source.address` field that has not been seen making this API +request within the last 7 days. This field contains the IP address of the source making the request. +""" +from = "now-9m" +index = ["filebeat-*", "logs-aws.cloudtrail*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS S3 Unauthenticated Bucket Listing by Rare Source" +note = """## Investigating AWS S3 Unauthenticated Bucket Listing by Rare Source + +This rule detects attempts to list objects in an AWS S3 bucket from an unauthenticated source. This activity may indicate a misconfigured S3 bucket policy that allows unauthorized public access. Adversaries can exploit this misconfiguration to gather information about the bucket contents using tools or scripts. + +The rule triggers when a rare IP address, not seen in the past 7 days, attempts to list S3 bucket objects without authentication. + +### Possible Investigation Steps + +1. **Identify the Source of the Request**: + - Review the `source.address` field to determine the IP address of the source. + - Check the `source.geo` field for geographic details associated with the IP. + - Examine the `user_agent.original` field to determine the tool or method used for the request. + +2. **Review Bucket and Resource Access**: + - Analyze the `aws.cloudtrail.resources.arn` field to identify the bucket being accessed. + - Inspect `aws.cloudtrail.request_parameters` to verify the bucket name and API call details. + - Confirm that the `event.action` is `ListObjects` and that `event.outcome` indicates a successful or failed attempt. + +3. **Check for Additional Activity**: + - Correlate the `source.address` with other AWS CloudTrail events to see if this IP has performed additional actions. + - Investigate for follow-up actions, such as `GetObject` API calls, which may indicate data exfiltration. + +4. **Assess S3 Bucket Configuration**: + - Review the bucket policy and Access Control List (ACL) to identify overly permissive access, such as public or anonymous permissions. + - Check for policies that include unrestricted principals (`Principal: *`) or allow public access settings. + +5. **Identify Patterns and Context**: + - Evaluate whether the activity aligns with legitimate use, such as testing or known automation. + - Cross-reference the bucket activity with other access attempts in the same timeframe to identify potential patterns or anomalies. + +### False Positive Analysis + +- **Legitimate Public Access**: Some S3 buckets may intentionally allow public access for specific use cases. Confirm the bucket’s intended configuration with its owner. +- **Automated Scans or Security Tools**: Public scanners or legitimate tools may access publicly exposed S3 buckets, triggering this rule. Validate the nature of the access. + +### Response and Remediation + +1. **Immediate Action**: + - Restrict or remove public access to the affected S3 bucket. + - Update the bucket policy and ensure that access is limited to trusted entities. + - Enable AWS S3 Block Public Access settings to prevent further exposure. + - Monitor for any additional actions or API calls from the source IP. + +2. **Enhance Monitoring**: + - Enable detailed logging and monitoring for all S3 buckets to detect similar events in the future. + - Configure real-time alerts for unauthenticated or public API calls to sensitive S3 buckets. + +3. **Review Security Configuration**: + - Audit S3 bucket policies and ACLs across your environment to ensure they follow AWS security best practices. + - Remove overly permissive policies and restrict access to trusted principals only. + +4. **Analyze for Potential Impact**: + - Investigate whether the unauthenticated access attempt was followed by additional suspicious activity. + - Review the data stored in the bucket to assess the potential risk of data exposure. + + +### Additional Resources + +- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) +- [AWS CloudTrail Best Practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-best-practices.html) +- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) + +""" +references = [ + "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/", +] +risk_score = 47 +rule_id = "5d876294-bcb2-11ef-bd29-f661ea17fbce" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: Amazon S3", + "Use Case: Asset Visibility", + "Resources: Investigation Guide", + "Tactic: Collection", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"aws.cloudtrail" + and event.provider:"s3.amazonaws.com" and event.action:"ListObjects" + and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown") + and cloud.account.id: "anonymous" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.account.id", + "aws.cloudtrail.user_identity.type", + "source.address", + "user_agent.original", + "aws.cloudtrail.resources.arn", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", +] + +[rule.new_terms] +field = "new_terms_fields" +value = ["source.address"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" + + From 349dd720526dc38a2c4fc66e9a7c2cfde8becfa2 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 17 Dec 2024 15:50:22 -0500 Subject: [PATCH 2/3] adjusted query --- .../aws/collection_s3_unauthenticated_bucket_listing.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml index 72298574511..ed4b2f4e15b 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml @@ -102,8 +102,10 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"aws.cloudtrail" - and event.provider:"s3.amazonaws.com" and event.action:"ListObjects" +event.dataset: "aws.cloudtrail" + and event.provider: "s3.amazonaws.com" + and event.action: "ListObjects" + and event.outcome: "success" and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown") and cloud.account.id: "anonymous" ''' From 466ff2380972d57c30c984b531c560a43e02b9c5 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 15 Jan 2025 11:17:06 -0500 Subject: [PATCH 3/3] Update rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../aws/collection_s3_unauthenticated_bucket_listing.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml index ed4b2f4e15b..cb160680490 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml @@ -10,10 +10,10 @@ description = """ Identifies AWS CloudTrail events where an unauthenticated source is attempting to list objects in an S3 bucket. This activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to list objects in an -S3 bucket without authentication. This is a [New -Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it -will only trigger once for each unique value of the `source.address` field that has not been seen making this API -request within the last 7 days. This field contains the IP address of the source making the request. +S3 bucket without authentication. This is a New Terms +(https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it will +only trigger once for each unique value of the `source.address` field that has not been seen making this API request +within the last 7 days. This field contains the IP address of the source making the request. """ from = "now-9m" index = ["filebeat-*", "logs-aws.cloudtrail*"]