Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rule] Adding Coverage for AWS S3 Unauthenticated Object Retrieval by Rare Source #4315

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+152 −0
Open

[New Rule] Adding Coverage for AWS S3 Unauthenticated Object Retrieval by Rare Source #4315

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
152 changes: 152 additions & 0 deletions rules/integrations/aws/collection_s3_unauthenticated_get_object.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
[metadata]
creation_date = "2024/12/17"
integration = ["aws"]
maturity = "production"
updated_date = "2024/12/17"

[rule]
author = ["Elastic"]
description = """
Identifies AWS CloudTrail events where an unauthenticated source is attempting to retrieve an object from an S3 bucket.
This activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially
exposing sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to retrieve
objects from an S3 bucket without authentication. This is a [New
Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it
will only trigger once for each unique value of the `source.address` field that has not been seen making this API
request within the last 7 days. This field contains the IP address of the source making the request.
"""
from = "now-9m"
index = ["filebeat-*", "logs-aws.cloudtrail*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Unauthenticated Object Retrieval by Rare Source"
note = """
## Investigating AWS S3 Unauthenticated Object Retrieval by Rare Source

This rule detects attempts to retrieve objects from an AWS S3 bucket by an unauthenticated source, which could indicate a misconfigured bucket policy allowing public access. Adversaries can exploit this misconfiguration by using tools or AWS CLI options like `--no-sign-request` to access bucket contents.

The rule triggers when an unauthenticated IP address retrieves an object, and that IP has not been seen in the last 7 days.

### Possible Investigation Steps

1. **Identify the Source of the Request**:
- Review the `source.address` field to determine the IP address of the request source.
- Check `source.geo` fields for geographic details of the originating IP address.
- Analyze the `user_agent.original` field to identify the client or tool used (e.g., `Python Requests`, `aws-cli`, browser).

2. **Review the Accessed Bucket and Object**:
- Analyze the `aws.cloudtrail.resources.arn` field to identify the S3 bucket and object being accessed.
- Inspect `aws.cloudtrail.request_parameters` for bucket name and object key to determine which file was retrieved.
- Confirm the `event.action` is `GetObject` and verify that the `event.outcome` indicates a successful access.

3. **Validate the Source IP and Context**:
- Determine if the IP address (`source.address`) has any prior activity in your environment.
- Correlate the IP with threat intelligence or blocklist databases to check for malicious indicators.
- Review CloudTrail logs for other activities originating from the same IP.

4. **Analyze the S3 Bucket Configuration**:
- Review the S3 bucket's Access Control List (ACL) and bucket policy to check for misconfigurations allowing public or unauthenticated access.
- Look for overly permissive settings, such as `Principal: *` or `Effect: Allow` rules that expose the bucket.

5. **Investigate Additional Activity**:
- Check if there are subsequent actions, such as:
- **Additional `GetObject` API calls**: Indicating further data exfiltration.
- **ListObjects requests**: Attempting to enumerate the bucket's contents.
- Correlate events within the same timeframe to identify related suspicious activity.

6. **Assess the Data Exposed**:
- Identify the retrieved object(s) and analyze their content to assess potential data exposure.
- Determine if the file contains sensitive information, such as credentials, intellectual property, or PII.

### False Positive Analysis

- **Public Buckets by Design**: Some S3 buckets may intentionally allow public access. Verify with the bucket owner if the access was expected.
- **Automated Tools**: Security scanners or legitimate services may generate `GetObject` events to validate bucket configurations.

### Response and Remediation

1. **Immediate Action**:
- Restrict or remove public access to the affected S3 bucket.
- Update the bucket policy to ensure access is restricted to trusted principals.
- Enable **S3 Block Public Access** settings to prevent unintended public access.

2. **Monitoring and Detection**:
- Enable detailed logging and monitoring for all S3 bucket activities.
- Configure real-time alerts for unauthenticated `GetObject` or `ListObjects` events on sensitive S3 buckets.

3. **Security Audits**:
- Regularly audit S3 bucket policies and ACLs to ensure they adhere to AWS security best practices.
- Use AWS tools like **Trusted Advisor** or **Access Analyzer** to identify and address misconfigurations.

4. **Investigate for Data Exfiltration**:
- Analyze historical CloudTrail logs to determine if other sensitive files were accessed or exfiltrated.
- Assess the scope of the exposure and initiate further response if sensitive data was compromised.

### Additional Resources

- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html)
- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
"""
references = [
"https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
]
risk_score = 47
rule_id = "59bf26c2-bcbe-11ef-a215-f661ea17fbce"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: Amazon S3",
"Use Case: Asset Visibility",
"Resources: Investigation Guide",
"Tactic: Collection",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "s3.amazonaws.com"
and event.action: "GetObject"
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
and cloud.account.id: "anonymous"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"


[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[rule.investigation_fields]
field_names = [
"@timestamp",
"cloud.account.id",
"aws.cloudtrail.user_identity.type",
"source.address",
"user_agent.original",
"aws.cloudtrail.resources.arn",
"event.action",
"event.outcome",
"cloud.region",
"aws.cloudtrail.request_parameters",
]

[rule.new_terms]
field = "new_terms_fields"
value = ["source.address"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"


Loading