Detect Cloud Storage Object Discovery in Splunk
This detection identifies adversary enumeration of cloud storage objects across AWS S3, Azure Blob Storage, and GCP Cloud Storage. Attackers use native cloud APIs (e.g., ListObjectsV2 for S3, List Blobs for Azure) to survey accessible buckets and containers, typically as a precursor to data staging or exfiltration. The detection looks for anomalous listing activity including high-volume object enumeration, access from unexpected identities or IPs, enumeration across multiple buckets in short time windows, and listing operations performed by service principals or IAM roles outside their expected behavioral baseline. Tools such as Pacu and Peirates are known to automate these enumeration workflows.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1619 Cloud Storage Object Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1619/
SPL Detection Query
index=* (sourcetype="aws:cloudtrail" OR sourcetype="azure:monitor:storage:blob")
| eval is_aws=if(sourcetype="aws:cloudtrail", 1, 0)
| eval is_azure=if(sourcetype="azure:monitor:storage:blob", 1, 0)
| eval event_action=coalesce(eventName, operationName)
| search event_action IN (
"ListBuckets", "ListObjects", "ListObjectsV2", "ListObjectVersions",
"ListMultipartUploads", "GetBucketAcl", "GetBucketPolicy", "GetBucketLocation",
"ListBlobs", "ListContainers", "GetContainerProperties",
"GetBlobServiceProperties", "ListBlobsFlatSegment"
)
| eval actor_identity=coalesce(userIdentity.arn, userIdentity.userName, properties.requesterObjectId, "unknown")
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress, "unknown")
| eval user_agent=coalesce(userAgent, properties.userAgentHeader, "unknown")
| eval target_resource=coalesce(requestParameters.bucketName, uri, "unknown")
| bin _time span=10m
| stats
count AS operation_count,
dc(target_resource) AS unique_resources,
values(event_action) AS operations_performed,
values(source_ip) AS source_ips,
values(user_agent) AS user_agents,
min(_time) AS first_seen,
max(_time) AS last_seen
by actor_identity, _time
| where operation_count > 50 OR unique_resources > 5
| eval severity=if(operation_count > 200 OR unique_resources > 20, "high", "medium")
| eval alert_title="Cloud Storage Object Discovery: " . actor_identity . " performed " . operation_count . " listing operations across " . unique_resources . " resources"
| table _time, actor_identity, operation_count, unique_resources, operations_performed, source_ips, user_agents, first_seen, last_seen, severity, alert_title
| sort - operation_countDetects suspicious cloud storage enumeration in AWS CloudTrail and Azure Monitor storage diagnostic logs. Correlates listing API calls (S3 ListObjectsV2/ListBuckets and Azure List Blobs/Containers) per actor identity over 10-minute windows, alerting when thresholds for operation volume or unique resource access are exceeded — a pattern consistent with automated tools like Pacu, Peirates, or CloudBrute performing bucket sweeps.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Scheduled backup agents (AWS Backup, third-party tools) performing nightly or hourly storage audits
- Data pipeline services (AWS Glue crawlers, Azure Data Factory triggers) that enumerate source containers before processing
- Cloud security scanning tools (Prowler, ScoutSuite, Wiz) performing compliance inventory runs
- Storage migration projects where large-scale enumeration is expected and authorized
- Monitoring agents configured to track object counts or storage metrics across all buckets
Other platforms for T1619
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS S3 Bucket and Object Enumeration with AWS CLI
Expected signal: CloudTrail will generate events: eventName=ListBuckets, eventName=ListObjectsV2 (one per bucket enumerated), eventName=GetBucketLocation, eventName=GetBucketAcl, eventName=GetBucketPolicy. All events will share the same userIdentity.arn and originating sourceIPAddress. Events appear in CloudTrail within 15 minutes (standard delivery) or near-real-time (CloudTrail Lake).
- Test 2Pacu Framework AWS Storage Enumeration Module
Expected signal: CloudTrail events with userAgent containing 'Boto3' (Pacu uses Boto3 SDK). EventNames: ListBuckets, GetBucketAcl, GetBucketLocation, DescribeVolumes, DescribeSnapshots. The Pacu session generates many rapid sequential API calls detectable by rate and ordering patterns.
- Test 3Azure Blob Storage Container and Object Enumeration via Azure CLI
Expected signal: Azure StorageBlobLogs table will contain OperationName values: ListContainers, ListBlobs, GetContainerProperties. CallerIpAddress will reflect the test machine IP. AuthenticationType will show 'StorageKey' (when using account key) or 'OAuth' (when using service principal). AzureActivity log will show Microsoft.Storage/storageAccounts/listKeys/action if keys were retrieved.
References (7)
- https://attack.mitre.org/techniques/T1619/
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
- https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/inguardians/peirates
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
- https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage
Unlock Pro Content
Get the full detection package for T1619 including response playbook, investigation guide, and atomic red team tests.