T1619 - Cloud Storage Object Discovery

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

Atomic Tests

Atomic Test #1 - AWS S3 Enumeration

This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.

Supported Platforms: iaas:aws

Elevation Required (e.g. root or admin)

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

echo Please install the aws-cli and configure your AWS default profile using: aws configure

Invoke-AtomicTest T1619 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with sh

for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done

Invoke-AtomicTest T1619 -TestNumbers 1

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor cloud logs for API calls used for file or object enumeration for unusual activity.