Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Listing by Rare Source #4313

Closed
wants to merge 5 commits into from
Closed
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
[metadata]
creation_date = "2024/12/17"
integration = ["aws"]
maturity = "production"
updated_date = "2024/12/17"

[rule]
author = ["Elastic"]
description = """
Identifies AWS CloudTrail events where an unauthenticated source is attempting to list objects in an S3 bucket. This
activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing
sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to list objects in an
S3 bucket without authentication. This is a [New
Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it
will only trigger once for each unique value of the `source.address` field that has not been seen making this API
request within the last 7 days. This field contains the IP address of the source making the request.
terrancedejesus marked this conversation as resolved.
Show resolved Hide resolved
"""
from = "now-9m"
index = ["filebeat-*", "logs-aws.cloudtrail*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Unauthenticated Bucket Listing by Rare Source"
note = """## Investigating AWS S3 Unauthenticated Bucket Listing by Rare Source

This rule detects attempts to list objects in an AWS S3 bucket from an unauthenticated source. This activity may indicate a misconfigured S3 bucket policy that allows unauthorized public access. Adversaries can exploit this misconfiguration to gather information about the bucket contents using tools or scripts.

The rule triggers when a rare IP address, not seen in the past 7 days, attempts to list S3 bucket objects without authentication.

### Possible Investigation Steps

1. **Identify the Source of the Request**:
- Review the `source.address` field to determine the IP address of the source.
- Check the `source.geo` field for geographic details associated with the IP.
- Examine the `user_agent.original` field to determine the tool or method used for the request.

2. **Review Bucket and Resource Access**:
- Analyze the `aws.cloudtrail.resources.arn` field to identify the bucket being accessed.
- Inspect `aws.cloudtrail.request_parameters` to verify the bucket name and API call details.
- Confirm that the `event.action` is `ListObjects` and that `event.outcome` indicates a successful or failed attempt.

3. **Check for Additional Activity**:
- Correlate the `source.address` with other AWS CloudTrail events to see if this IP has performed additional actions.
- Investigate for follow-up actions, such as `GetObject` API calls, which may indicate data exfiltration.

4. **Assess S3 Bucket Configuration**:
- Review the bucket policy and Access Control List (ACL) to identify overly permissive access, such as public or anonymous permissions.
- Check for policies that include unrestricted principals (`Principal: *`) or allow public access settings.

5. **Identify Patterns and Context**:
- Evaluate whether the activity aligns with legitimate use, such as testing or known automation.
- Cross-reference the bucket activity with other access attempts in the same timeframe to identify potential patterns or anomalies.

### False Positive Analysis

- **Legitimate Public Access**: Some S3 buckets may intentionally allow public access for specific use cases. Confirm the bucket’s intended configuration with its owner.
- **Automated Scans or Security Tools**: Public scanners or legitimate tools may access publicly exposed S3 buckets, triggering this rule. Validate the nature of the access.

### Response and Remediation

1. **Immediate Action**:
- Restrict or remove public access to the affected S3 bucket.
- Update the bucket policy and ensure that access is limited to trusted entities.
- Enable AWS S3 Block Public Access settings to prevent further exposure.
- Monitor for any additional actions or API calls from the source IP.

2. **Enhance Monitoring**:
- Enable detailed logging and monitoring for all S3 buckets to detect similar events in the future.
- Configure real-time alerts for unauthenticated or public API calls to sensitive S3 buckets.

3. **Review Security Configuration**:
- Audit S3 bucket policies and ACLs across your environment to ensure they follow AWS security best practices.
- Remove overly permissive policies and restrict access to trusted principals only.

4. **Analyze for Potential Impact**:
- Investigate whether the unauthenticated access attempt was followed by additional suspicious activity.
- Review the data stored in the bucket to assess the potential risk of data exposure.


### Additional Resources

- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html)
- [AWS CloudTrail Best Practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-best-practices.html)
- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)

"""
references = [
"https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
]
risk_score = 47
rule_id = "5d876294-bcb2-11ef-bd29-f661ea17fbce"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: Amazon S3",
"Use Case: Asset Visibility",
"Resources: Investigation Guide",
"Tactic: Collection",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "s3.amazonaws.com"
and event.action: "ListObjects"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
and cloud.account.id: "anonymous"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"


[rule.threat.tactic]
id = "TA0009"
name = "Collection"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks more of a discovery ctivity vs collection, https://attack.mitre.org/techniques/T1619/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++

reference = "https://attack.mitre.org/tactics/TA0009/"

[rule.investigation_fields]
field_names = [
"@timestamp",
"cloud.account.id",
"aws.cloudtrail.user_identity.type",
"source.address",
"user_agent.original",
"aws.cloudtrail.resources.arn",
"event.action",
"event.outcome",
"cloud.region",
"aws.cloudtrail.request_parameters",
]

[rule.new_terms]
field = "new_terms_fields"
value = ["source.address"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"


Loading