elastic · terrancedejesus · Dec 17, 2024 · Dec 17, 2024 · Jan 15, 2025 · Jan 15, 2025
diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml
@@ -0,0 +1,148 @@
+[metadata]
+creation_date = "2024/12/17"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2024/12/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies AWS CloudTrail events where an unauthenticated source is attempting to list objects in an S3 bucket. This
+activity may indicate a misconfigured S3 bucket policy that allows public access to the bucket, potentially exposing
+sensitive data to unauthorized users. Adversaries can specify `--no-sign-request` in the AWS CLI to list objects in an
+S3 bucket without authentication. This is a New Terms 
+(https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule, which means it will
+only trigger once for each unique value of the `source.address` field that has not been seen making this API request
+within the last 7 days. This field contains the IP address of the source making the request.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-aws.cloudtrail*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS S3 Unauthenticated Bucket Listing by Rare Source"
+note = """## Investigating AWS S3 Unauthenticated Bucket Listing by Rare Source
+
+This rule detects attempts to list objects in an AWS S3 bucket from an unauthenticated source. This activity may indicate a misconfigured S3 bucket policy that allows unauthorized public access. Adversaries can exploit this misconfiguration to gather information about the bucket contents using tools or scripts.
+
+The rule triggers when a rare IP address, not seen in the past 7 days, attempts to list S3 bucket objects without authentication.
+
+### Possible Investigation Steps
+
+1. **Identify the Source of the Request**:
+   - Review the `source.address` field to determine the IP address of the source.
+   - Check the `source.geo` field for geographic details associated with the IP.
+   - Examine the `user_agent.original` field to determine the tool or method used for the request.
+
+2. **Review Bucket and Resource Access**:
+   - Analyze the `aws.cloudtrail.resources.arn` field to identify the bucket being accessed.
+   - Inspect `aws.cloudtrail.request_parameters` to verify the bucket name and API call details.
+   - Confirm that the `event.action` is `ListObjects` and that `event.outcome` indicates a successful or failed attempt.
+
+3. **Check for Additional Activity**:
+   - Correlate the `source.address` with other AWS CloudTrail events to see if this IP has performed additional actions.
+   - Investigate for follow-up actions, such as `GetObject` API calls, which may indicate data exfiltration.
+
+4. **Assess S3 Bucket Configuration**:
+   - Review the bucket policy and Access Control List (ACL) to identify overly permissive access, such as public or anonymous permissions.
+   - Check for policies that include unrestricted principals (`Principal: *`) or allow public access settings.
+
+5. **Identify Patterns and Context**:
+   - Evaluate whether the activity aligns with legitimate use, such as testing or known automation.
+   - Cross-reference the bucket activity with other access attempts in the same timeframe to identify potential patterns or anomalies.
+
+### False Positive Analysis
+
+- **Legitimate Public Access**: Some S3 buckets may intentionally allow public access for specific use cases. Confirm the bucket’s intended configuration with its owner.
+- **Automated Scans or Security Tools**: Public scanners or legitimate tools may access publicly exposed S3 buckets, triggering this rule. Validate the nature of the access.
+
+### Response and Remediation
+
+1. **Immediate Action**:
+   - Restrict or remove public access to the affected S3 bucket.
+     - Update the bucket policy and ensure that access is limited to trusted entities.
+     - Enable AWS S3 Block Public Access settings to prevent further exposure.
+   - Monitor for any additional actions or API calls from the source IP.
+
+2. **Enhance Monitoring**:
+   - Enable detailed logging and monitoring for all S3 buckets to detect similar events in the future.
+   - Configure real-time alerts for unauthenticated or public API calls to sensitive S3 buckets.
+
+3. **Review Security Configuration**:
+   - Audit S3 bucket policies and ACLs across your environment to ensure they follow AWS security best practices.
+   - Remove overly permissive policies and restrict access to trusted principals only.
+
+4. **Analyze for Potential Impact**:
+   - Investigate whether the unauthenticated access attempt was followed by additional suspicious activity.
+   - Review the data stored in the bucket to assess the potential risk of data exposure.
+
+
+### Additional Resources
+
+- [AWS Documentation: S3 Bucket Policy Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html)
+- [AWS CloudTrail Best Practices](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-best-practices.html)
+- [AWS S3 Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
+
+"""
+references = [
+    "https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/exploting_public_resources_attack_playbook/",
+]
+risk_score = 47
+rule_id = "5d876294-bcb2-11ef-bd29-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: Amazon S3",
+    "Use Case: Asset Visibility",
+    "Resources: Investigation Guide",
+    "Tactic: Collection",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "aws.cloudtrail"
+    and event.provider: "s3.amazonaws.com"
+    and event.action: "ListObjects"
+    and event.outcome: "success"
+    and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
+    and cloud.account.id: "anonymous"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1530"
+name = "Data from Cloud Storage"
+reference = "https://attack.mitre.org/techniques/T1530/"
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "cloud.account.id",
+    "aws.cloudtrail.user_identity.type",
+    "source.address",
+    "user_agent.original",
+    "aws.cloudtrail.resources.arn",
+    "event.action",
+    "event.outcome",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["source.address"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
+
+