T1530
Data from Cloud Storage Object
Description from ATT&CK
Adversaries may access data objects from improperly secured cloud storage.
Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)
Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst
Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .
Supported Platforms: iaas:azure
auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| base | Azure blob keyword to enumerate (Example, storage account name) | String | secure |
| output_file | File to output results to | String | $env:temp\T1530Test1.txt |
| wordlist | File path to keywords for search permutations | String | $env:temp\permutations.txt |
Attack Commands: Run with powershell!
1
2
3
import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"
Cleanup Commands:
1
2
remove-item #{output_file} -erroraction silentlycontinue
Dependencies: Run with powershell!
Description: The Invoke-EnumerateAzureBlobs module must exist in $env:temp.
Check Prereq Commands:
1
2
if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}
Get Prereq Commands:
1
2
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
Description: The wordlist file for search permutations must exist in $env:temp.
Check Prereq Commands:
1
2
if (test-path #{wordlist}){exit 0} else {exit 1}
Get Prereq Commands:
1
2
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"
Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)
Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service
Supported Platforms: iaas:azure
auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| base_name | Azure storage account name to test | String | T1530Test2 |
| output_file | File to output results to | String | $env:temp\T1530Test2.txt |
| container_name | Container name to search for (optional) | String | None |
| blob_name | Blob name to search for (optional) | String | None |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append
Cleanup Commands:
1
2
remove-item #{output_file} -erroraction silentlycontinue