Detect Cloud Storage Object Discovery in Microsoft Sentinel
This detection identifies adversary enumeration of cloud storage objects across AWS S3, Azure Blob Storage, and GCP Cloud Storage. Attackers use native cloud APIs (e.g., ListObjectsV2 for S3, List Blobs for Azure) to survey accessible buckets and containers, typically as a precursor to data staging or exfiltration. The detection looks for anomalous listing activity including high-volume object enumeration, access from unexpected identities or IPs, enumeration across multiple buckets in short time windows, and listing operations performed by service principals or IAM roles outside their expected behavioral baseline. Tools such as Pacu and Peirates are known to automate these enumeration workflows.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1619 Cloud Storage Object Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1619/
KQL Detection Query
let LookbackWindow = 1h;
let HighVolumeThreshold = 50;
let UniqueBucketThreshold = 5;
// AWS S3 enumeration via CloudTrail
let AWSS3Discovery = AWSCloudTrail
| where TimeGenerated >= ago(LookbackWindow)
| where EventName in ("ListBuckets", "ListObjects", "ListObjectsV2", "ListObjectVersions", "ListMultipartUploads", "GetBucketAcl", "GetBucketPolicy", "GetBucketLocation")
| extend UserIdentity = coalesce(UserIdentityArn, UserIdentityUserName, UserIdentityPrincipalid)
| summarize
OperationCount = count(),
UniqueBuckets = dcount(tostring(RequestParameters)),
Operations = make_set(EventName),
SourceIPs = make_set(SourceIpAddress),
AWSRegions = make_set(AWSRegion),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserIdentity, UserIdentityType, UserAgent, bin(TimeGenerated, 10m)
| where OperationCount > HighVolumeThreshold or UniqueBuckets > UniqueBucketThreshold
| extend Platform = "AWS", Severity = iff(OperationCount > 200 or UniqueBuckets > 20, "High", "Medium")
| project TimeGenerated, Platform, UserIdentity, UserIdentityType, UserAgent, OperationCount, UniqueBuckets, Operations, SourceIPs, AWSRegions, FirstSeen, LastSeen, Severity;
// Azure Blob Storage enumeration
let AzureBlobDiscovery = StorageBlobLogs
| where TimeGenerated >= ago(LookbackWindow)
| where OperationName in ("ListBlobs", "ListContainers", "GetContainerProperties", "GetBlobServiceProperties", "ListBlobsFlatSegment", "ListBlobsHierarchySegment")
| summarize
OperationCount = count(),
UniqueContainers = dcount(Uri),
Operations = make_set(OperationName),
SourceIPs = make_set(CallerIpAddress),
Accounts = make_set(AccountName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AuthenticationType, RequesterObjectId, UserAgentHeader, bin(TimeGenerated, 10m)
| where OperationCount > HighVolumeThreshold or UniqueContainers > UniqueBucketThreshold
| extend
Platform = "Azure",
Severity = iff(OperationCount > 200 or UniqueContainers > 20, "High", "Medium"),
UserIdentity = coalesce(RequesterObjectId, "Anonymous"),
UserAgent = UserAgentHeader,
AWSRegions = dynamic([])
| project TimeGenerated, Platform, UserIdentity, AuthenticationType, UserAgent, OperationCount, UniqueContainers, Operations, SourceIPs, Accounts, FirstSeen, LastSeen, Severity;
// Union and surface results
AWSS3Discovery
| union AzureBlobDiscovery
| sort by OperationCount descDetects high-volume or broad cloud storage enumeration across AWS S3 (via CloudTrail ListObjectsV2/ListBuckets and related APIs) and Azure Blob Storage (via StorageBlobLogs List operations). Alerts when a single identity performs more than 50 listing operations or touches more than 5 unique buckets/containers within a 10-minute window, which is indicative of automated reconnaissance tools like Pacu or Peirates.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
- Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
- Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
- DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
- Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis
Other platforms for T1619
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS S3 Bucket and Object Enumeration with AWS CLI
Expected signal: CloudTrail will generate events: eventName=ListBuckets, eventName=ListObjectsV2 (one per bucket enumerated), eventName=GetBucketLocation, eventName=GetBucketAcl, eventName=GetBucketPolicy. All events will share the same userIdentity.arn and originating sourceIPAddress. Events appear in CloudTrail within 15 minutes (standard delivery) or near-real-time (CloudTrail Lake).
- Test 2Pacu Framework AWS Storage Enumeration Module
Expected signal: CloudTrail events with userAgent containing 'Boto3' (Pacu uses Boto3 SDK). EventNames: ListBuckets, GetBucketAcl, GetBucketLocation, DescribeVolumes, DescribeSnapshots. The Pacu session generates many rapid sequential API calls detectable by rate and ordering patterns.
- Test 3Azure Blob Storage Container and Object Enumeration via Azure CLI
Expected signal: Azure StorageBlobLogs table will contain OperationName values: ListContainers, ListBlobs, GetContainerProperties. CallerIpAddress will reflect the test machine IP. AuthenticationType will show 'StorageKey' (when using account key) or 'OAuth' (when using service principal). AzureActivity log will show Microsoft.Storage/storageAccounts/listKeys/action if keys were retrieved.
References (7)
- https://attack.mitre.org/techniques/T1619/
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/inguardians/peirates
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage
Unlock Pro Content
Get the full detection package for T1619 including response playbook, investigation guide, and atomic red team tests.