some applications or web pages may continue to reference old s3 bucket urls after they have been decommissioned. these should be investigated and updated to prevent potential security risks.

Techniques

T1485

Sample rules

Detect Web Access to Decommissioned S3 Bucket

source: splunk
technicques:
- T1485

Description

This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user from datamodel=Web where Web.url_domain!="" by Web.src Web.url_domain 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval bucket_domain = lower(url_domain) 
| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
| where isnotnull(match) 
| `detect_web_access_to_decommissioned_s3_bucket_filter`