Query: s3_object_accessed_using_suspicious_user_agent

Usage

powerpipe query aws_s3_server_access_log_detections.query.s3_object_accessed_using_suspicious_user_agent

Tailpipe Tables

aws_s3_server_access_log

SQL

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*

from
  aws_s3_server_access_log
where
  operation in ('REST.GET.OBJECT', 'REST.PUT.OBJECT', 'REST.DELETE.OBJECT')
  and (
    -- Command-line tools
    user_agent ilike '%curl%' or
    user_agent ilike '%wget%' or
    user_agent ilike '%python%' or
    user_agent ilike '%go-http%' or
    user_agent ilike '%ruby%' or
    user_agent ilike '%powershell%' or
        
    -- Known scanners and penetration testing tools
    user_agent ilike '%nuclei%' or
    user_agent ilike '%nmap%' or
    user_agent ilike '%burpsuite%' or
    user_agent ilike '%sqlmap%' or
    user_agent ilike '%nikto%' or
    user_agent ilike '%hydra%' or
    user_agent ilike '%metasploit%' or
    user_agent ilike '%gobuster%' or
    user_agent ilike '%dirbuster%' or
        
    -- Suspicious bots and crawlers
    user_agent ilike '%zgrab%' or
    user_agent ilike '%masscan%' or
    user_agent ilike '%googlebot%' or
    user_agent ilike '%baiduspider%' or
        
    -- Generic indicators
    user_agent ilike '%scanner%' or
    user_agent ilike '%exploit%' or
    user_agent ilike '%attack%' or
    user_agent is null
  )
order by
  tp_timestamp desc;

Detections

The query is being used by the following detections:

S3 Object Accessed Using Suspicious User-Agent