turbot/tailpipe-mod-aws-s3-server-access-log-detections

Query: s3_object_accessed_using_suspicious_user_agent

Usage

powerpipe query aws_s3_server_access_log_detections.query.s3_object_accessed_using_suspicious_user_agent

SQL

select
tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*
from
aws_s3_server_access_log
where
operation in ('REST.GET.OBJECT', 'REST.PUT.OBJECT', 'REST.DELETE.OBJECT')
and (
-- Command-line tools
user_agent ilike '%curl%' or
user_agent ilike '%wget%' or
user_agent ilike '%python%' or
user_agent ilike '%go-http%' or
user_agent ilike '%ruby%' or
user_agent ilike '%powershell%' or
-- Known scanners and penetration testing tools
user_agent ilike '%nuclei%' or
user_agent ilike '%nmap%' or
user_agent ilike '%burpsuite%' or
user_agent ilike '%sqlmap%' or
user_agent ilike '%nikto%' or
user_agent ilike '%hydra%' or
user_agent ilike '%metasploit%' or
user_agent ilike '%gobuster%' or
user_agent ilike '%dirbuster%' or
-- Suspicious bots and crawlers
user_agent ilike '%zgrab%' or
user_agent ilike '%masscan%' or
user_agent ilike '%googlebot%' or
user_agent ilike '%baiduspider%' or
-- Generic indicators
user_agent ilike '%scanner%' or
user_agent ilike '%exploit%' or
user_agent ilike '%attack%' or
user_agent is null
)
order by
tp_timestamp desc;

Detections

The query is being used by the following detections: