Rules Contributing to Suspicious AWS Bucket Enumeration Alert

The following rules are used to identify suspicious activity related to AWS Bucket Enumeration. Any one or more of these will trigger AWS Bucket Enumeration Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Potential Bucket Enumeration on AWS

Looks for potential enumeration of AWS buckets via ListBuckets.

More details

Rule ID

aws_6

Query

{'selection': {'eventSource': 'ec2.amazonaws.com', 'eventName': 'ListBuckets'}, 'filter': {'type': 'AssumedRole'}, 'condition': 'selection and not filter'}

Log Source

Stellar Cyber AWS Cloudtrail configured.

Rule Source

SigmaHQ,f305fd62-beca-47da-ad95-7690a0620084

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io

Tactics, Techniques, and Procedures

TA0007, T1580

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2023/01/06	low	Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.