AWS S3 Honey Bucket Logs

Metadata

Contributors

Ashwin Patil @ashwinpatil

Creation Date

2022/02/18

Modification Date

2022/02/18

Tactics

TA0007

Techniques

T1580

Tags

S3 Public Honeybucket Discovery

Dataset Description

This dataset represents adversaries trying to scan , discover and access open S3 honeybucket based on known hostname patterns. in this case honeybucket microsoft-devtest.s3.amazonaws.com.

Simulation Metadata

Adversary View

> pip3 install s3scanner

> s3scanner --threads 8 scan --buckets-file ./bucket-names.txt                                                                                                                                                              >

> curl -s "microsoft-devtest.s3.amazonaws.com"

> aws s3 ls s3://microsoft-devtest.s3.amazonaws.com

> echo 'Trying to write text file to open public bucket' > hello.txt

> aws s3 sync hello.txt s3://microsoft-devtest.s3.amazonaws.com

Explore Datasets

Download & Decompress Dataset

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/discovery/aws_s3_honeybucketlogs.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events

df.head(1)