T1619 - Cloud Storage Object Discovery

Description from ATT&CK

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure. Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

Atomic Tests

• Atomic Test #1 - AWS S3 Enumeration

Atomic Test #1 - AWS S3 Enumeration

This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.

Supported Platforms: Iaas:aws

auto_generated_guid: 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5

Attack Commands: Run with

1

sh

!

1
for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done

Dependencies: Run with

1

sh

!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
echo Please install the aws-cli and configure your AWS default profile using: aws configure