splunk · pyth0n1c · Feb 20, 2025 · Feb 12, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -0,0 +1,64 @@
+name: Baseline Of Open S3 Bucket Decommissioning
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez
+type: Baseline
+status: production
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
+search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
+| spath input=_raw path=requestParameters.bucketName output=bucketName
+| spath input=_raw path=requestParameters.Host output=host
+| spath input=_raw path=requestParameters.bucketPolicy.Statement{} output=statements
+| spath input=statements output=principal path=Principal
+| spath input=statements output=effect path=Effect
+| spath input=statements output=action path=Action
+| stats values(eventName) as events, 
+        values(requestParameters.bucketPolicy) as policies, 
+        values(principal) as principals,
+        values(effect) as effects,
+        values(action) as actions,
+        min(_time) as firstEvent, 
+        max(_time) as lastEvent,
+        values(userIdentity.accountId) as accountIds,
+        values(userIdentity.arn) as userARNs,
+        values(awsRegion) as awsRegions,
+        values(host) as hosts
+    by bucketName
+| eval isPublicPolicy = if( (mvfind(principals, "\\*")>=0) AND (mvfind(effects, "Allow")>=0) AND (mvfind(actions, "s3:GetObject")>=0), 1, 0)
+| eval isWebsite = if(mvfind(events, "PutBucketWebsite")>=0, 1, 0)
+| eval is_open = if(isPublicPolicy==1 OR isWebsite==1, 1, 0)
+| where is_open==1 AND (mvfind(events, "DeleteBucket")>=0)
+| eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
+| eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
+| table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
+known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Suspicious AWS S3 Activities
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  detections:
+  - Detect DNS Query to Decommissioned S3 Bucket
+  - Detect Web Access to Decommissioned S3 Bucket
+  security_domain: audit
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -30d@d
+    latest_time: -1d@d
+    schedule_window: auto
@@ -0,0 +1,60 @@
+name: Detect DNS Query to Decommissioned S3 Bucket
+id: 2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez, Splunk
+status: experimental
+type: Anomaly
+description: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
+data_source:
+- Sysmon EventID 22
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.query DNS.src 
+| `drop_dm_object_name("DNS")` 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)` 
+| eval bucket_domain = lower(query) 
+| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
+| where isnotnull(match) 
+| `detect_dns_query_to_decommissioned_s3_bucket_filter`'
+how_to_implement: To successfully implement this detection, you need to be ingesting DNS query logs and have them mapped to the Network_Resolution data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets KVstore lookup.
+known_false_positives: Some applications or scripts may continue to reference old S3 bucket names after they have been decommissioned. These should be investigated and updated to prevent potential security risks.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+drilldown_searches:
+- name: DNS Activity for Host
+  search: '| from datamodel:Network_Resolution | search src="$src$"'
+  earliest_offset: -7d@d
+  latest_offset: now
+rba:
+  message: A DNS query to decommissioned S3 bucket $query$ was detected from host $src$
+  risk_objects:
+  - field: src
+    type: system
+    score: 30
+  threat_objects:
+  - field: query
+    type: domain
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Data Destruction
+  asset_type: Network
+  mitre_attack_id:
+  - T1485
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: Baseline Dataset Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+    source: cloudtrail
+    sourcetype: aws:cloudtrail
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
@@ -0,0 +1,64 @@
+name: Detect Web Access to Decommissioned S3 Bucket
+id: 3a1d8f62-5b9c-4e7d-b8f3-9d6a8e2f5e1f
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez, Splunk
+status: experimental
+type: Anomaly
+description: This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
+data_source:
+- AWS Cloudfront
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user from datamodel=Web where Web.url_domain!="" by Web.src Web.url_domain 
+| `drop_dm_object_name("Web")` 
+| `security_content_ctime(firstTime)` 
+| `security_content_ctime(lastTime)` 
+| eval bucket_domain = lower(url_domain) 
+| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
+| where isnotnull(match) 
+| `detect_web_access_to_decommissioned_s3_bucket_filter`'
+how_to_implement: To successfully implement this detection, you need to be ingesting web proxy logs and have them mapped to the Web data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets KVStore Lookup.
+known_false_positives: Some applications or web pages may continue to reference old S3 bucket URLs after they have been decommissioned. These should be investigated and updated to prevent potential security risks.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+drilldown_searches:
+- name: Web Activity for Host and User
+  search: '| from datamodel:Web | search src="$src$" user="$user$"'
+  earliest_offset: -7d@d
+  latest_offset: now
+- name: Investigate traffic to domain
+  search: '| from datamodel:Web | search src="$src$" url_domain="$url_domain$"'
+  earliest_offset: -7d@d
+  latest_offset: now
+rba:
+  message: A web request to decommissioned S3 bucket domain $url_domain$ was detected from host $src$ by user $user$
+  risk_objects:
+  - field: src
+    type: system
+    score: 30
+  threat_objects:
+  - field: url_domain
+    type: domain
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Data Destruction
+  asset_type: S3 Bucket
+  mitre_attack_id:
+  - T1485
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: Baseline Dataset Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json
+    source: cloudtrail
+    sourcetype: aws:cloudtrail
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log
+    source: aws_cloudfront_accesslogs
+    sourcetype: aws:cloudfront:accesslogs
@@ -0,0 +1,21 @@
+name: decommissioned_buckets
+date: 2025-02-14
+version: 1
+id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f
+author: Bhavin Patel
+lookup_type: kvstore
+default_match: false
+description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected.
+min_matches: 1
+fields: 
+- _key
+- bucketName
+- hosts
+- firstEvent
+- lastEvent
+- events
+- policy_details
+- website_details
+- accountIds
+- userARNs
+- awsRegions
@@ -0,0 +1,31 @@
+name: AWS S3 Bucket Security Monitoring
+id: 8d74f258-d69e-4e4f-b7b3-57c0bdc772b5
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez, Splunk
+status: production
+description: This analytic story contains detections that monitor AWS S3 bucket configurations, access patterns, and potential security risks, with a specific focus on tracking decommissioned public buckets to prevent bucket hijacking attempts.
+narrative: 'Amazon Simple Storage Service (S3) is a widely used object storage service that allows organizations to store and retrieve any amount of data. While S3 buckets are private by default, they can be configured for public access through bucket policies or static website hosting. This flexibility, while useful for legitimate purposes, can also lead to security risks if not properly managed.
+
+  A particularly concerning attack vector is the hijacking of decommissioned S3 buckets. When a public S3 bucket is deleted, its unique name becomes available for anyone to claim. Attackers can monitor for deleted buckets that were previously public and attempt to recreate them, potentially intercepting data from applications that still reference these buckets or using them to host malicious content.
+
+  This analytic story focuses on:
+  1. Tracking S3 buckets that were public (via policy or website hosting) before deletion
+  2. Detecting attempts to access or query these decommissioned bucket names
+  3. Identifying potential bucket hijacking attempts
+  4. Helping organizations maintain proper S3 bucket hygiene and prevent security incidents related to bucket name reuse
+
+  The detections in this story leverage AWS CloudTrail logs, DNS queries, and web proxy data to provide comprehensive monitoring of S3 bucket lifecycle and access patterns.'
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+tags:
+  category:
+  - Cloud Security
+  product:
+  - Splunk Security Analytics for AWS
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Security Monitoring