Contents

AWS S3 Honey Bucket Logs

Contents

AWS S3 Honey Bucket Logs#

Metadata#


Contributors	Ashwin Patil @ashwinpatil
Creation Date	2022/02/18
Modification Date	2022/02/18
Tactics	TA0007
Techniques	T1580
Tags	S3 Public Honeybucket Discovery

Dataset Description#

This dataset represents adversaries trying to scan , discover and access open S3 honeybucket based on known hostname patterns. in this case honeybucket microsoft-devtest.s3.amazonaws.com.

Datasets Downloads#

Type	Link
cloud	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/discovery/aws_s3_honeybucketlogs.zip

Simulation Metadata#

Adversary View#

> pip3 install s3scanner

> s3scanner --threads 8 scan --buckets-file ./bucket-names.txt                                                                                                                                                              >

> curl -s "microsoft-devtest.s3.amazonaws.com"

> aws s3 ls s3://microsoft-devtest.s3.amazonaws.com

> echo 'Trying to write text file to open public bucket' > hello.txt

> aws s3 sync hello.txt s3://microsoft-devtest.s3.amazonaws.com

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/aws/discovery/aws_s3_honeybucketlogs.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.head(1)

References#

https://breachinsider.com/blog/honey-buckets-find-out-who-is-snooping-through-your-amazon-s3-buckets/