Techniques
Sample rules
AWS S3 Bucket Enumeration or Brute Force
- source: elastic
- technicques:
- T1530
- T1580
- T1657
Description
Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.
Detection logic
from logs-aws.cloudtrail*
| where
event.provider == "s3.amazonaws.com"
and aws.cloudtrail.error_code == "AccessDenied"
and tls.client.server_name is not null
and cloud.account.id is not null
// keep only relevant ECS fields
| keep
tls.client.server_name,
source.address,
cloud.account.id
// count access denied requests per server_name, source, and account
| stats
Esql.event_count = count(*)
by
tls.client.server_name,
source.address,
cloud.account.id
// Threshold: more than 40 denied requests
| where Esql.event_count > 40