Try in Splunk Security Cloud

Description

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2021-07-19
  • Author: Patrick Bareiss, Splunk
  • ID: 39c61d09-8b30-4154-922b-2d0a694ecc22

Annotations

ATT&CK
ID Technique Tactic
T1530 Data from Cloud Storage Object Collection
Kill Chain Phase
  • Actions on Objectives
NIST
  • PR.DS
  • PR.AC
  • DE.CM
CIS20
  • CIS 13
CVE
1
2
3
4
5
6
7
`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli* ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") 
| rename requestParameters.bucketName AS bucketName 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_new_open_s3_buckets_over_aws_cli_filter` 

Macros

The SPL above uses the following Macros:

Note that detect_new_open_s3_buckets_over_aws_cli_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • eventSource
  • eventName
  • requestParameters.accessControlList.x-amz-grant-read-acp
  • requestParameters.accessControlList.x-amz-grant-write
  • requestParameters.accessControlList.x-amz-grant-write-acp
  • requestParameters.accessControlList.x-amz-grant-full-control
  • requestParameters.bucketName
  • userIdentity.userName
  • userIdentity.principalId
  • userAgent
  • bucketName

How To Implement

Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the “All Users” group.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
48.0 60 80 User $userIdentity.userName$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2