Cloud Storage Object Discovery
Description from ATT&CK
Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.
Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .
Atomic Test #1 - AWS S3 Enumeration
This test will enumerate all the S3 buckets in the user account and lists all the files in each bucket.
Supported Platforms: iaas:azure
Attack Commands: Run with sh!
1 2 for bucket in "$(aws s3 ls | cut -d " " -f3)"; do aws s3api list-objects-v2 --bucket $bucket --output text; done
Dependencies: Run with sh!
Description: Check if ~/.aws/credentials file has a default stanza is configured
Check Prereq Commands:
1 2 cat ~/.aws/credentials | grep "default"
Get Prereq Commands:
1 2 echo Please install the aws-cli and configure your AWS default profile using: aws configure