LoFP / some applications or scripts may continue to reference old s3 bucket names after they have been decommissioned. these should be investigated and updated to prevent potential security risks.

Techniques

• T1485

Sample rules

Detect DNS Query to Decommissioned S3 Bucket

• source: splunk
• technicques:
  • T1485

Description

This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.query DNS.src 
| `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval bucket_domain = lower(query) 
| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
| where isnotnull(match) 
| `detect_dns_query_to_decommissioned_s3_bucket_filter`