From df1229665f0ed2e35e26180f9da80f7c1c801b2d Mon Sep 17 00:00:00 2001 From: Jose Hernandez Date: Thu, 13 Feb 2025 16:41:07 -0500 Subject: [PATCH 1/6] adding baseline dataset --- .../s3_bucket_deletion/s3_bucket_deletion.csv | 33 +++++++++++++++++++ .../simulate_open_bucket.yml | 14 ++++++++ 2 files changed, 47 insertions(+) create mode 100644 datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv create mode 100644 datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml diff --git a/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv b/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv new file mode 100644 index 00000000..884222b2 --- /dev/null +++ b/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv @@ -0,0 +1,33 @@ +"_raw","_time",action,"additionalEventData.AuthenticationMethod","additionalEventData.CipherSuite","additionalEventData.RequestDetails.awsServingRegion","additionalEventData.RequestDetails.endpointType","additionalEventData.SignatureVersion","additionalEventData.bytesTransferredIn","additionalEventData.bytesTransferredOut","additionalEventData.configRuleArn","additionalEventData.configRuleInputParameters","additionalEventData.configRuleName","additionalEventData.managedRuleIdentifier","additionalEventData.notificationJobType","additionalEventData.x-amz-id-2",app,"authentication_method",awsRegion,"aws_account_id","change_type",command,"date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",desc,dest,"dest_ip_range","dest_port_range",direction,dvc,errorCode,errorMessage,eventCategory,eventID,eventName,eventSource,eventTime,eventType,eventVersion,eventtype,host,"image_id",index,"instance_type",linecount,managementEvent,msg,object,"object_attrs","object_category","object_id",product,protocol,"protocol_code",punct,readOnly,reason,recipientAccountId,region,requestID,"requestParameters.Host","requestParameters.WebsiteConfiguration.ErrorDocument.Key","requestParameters.WebsiteConfiguration.IndexDocument.Suffix","requestParameters.WebsiteConfiguration.xmlns","requestParameters.agentName","requestParameters.agentStatus","requestParameters.agentVersion","requestParameters.availabilityZone","requestParameters.availabilityZoneId","requestParameters.bucketName","requestParameters.bucketPolicy.Statement{}.Action","requestParameters.bucketPolicy.Statement{}.Effect","requestParameters.bucketPolicy.Statement{}.Principal","requestParameters.bucketPolicy.Statement{}.Resource","requestParameters.bucketPolicy.Statement{}.Sid","requestParameters.bucketPolicy.Version","requestParameters.computerName","requestParameters.durationSeconds","requestParameters.evaluations{}.complianceResourceId","requestParameters.evaluations{}.complianceResourceType","requestParameters.evaluations{}.complianceType","requestParameters.evaluations{}.orderingTimestamp","requestParameters.iPAddress","requestParameters.instanceId","requestParameters.location","requestParameters.platformName","requestParameters.platformType","requestParameters.platformVersion","requestParameters.policy","requestParameters.resultToken","requestParameters.roleArn","requestParameters.roleSessionName","requestParameters.sSMConnectionChannel","requestParameters.testMode","requestParameters.website","resources{}.ARN","resources{}.accountId","resources{}.type",responseElements,"responseElements.assumedRoleUser.arn","responseElements.assumedRoleUser.assumedRoleId","responseElements.credentials.accessKeyId","responseElements.credentials.expiration","responseElements.credentials.sessionToken",result,"result_id","rule_action",sharedEventID,signature,source,sourceIPAddress,sourcetype,"splunk_server","splunk_server_group",src,"src_ip","src_ip_range","src_port_range","src_user","src_user_id","src_user_name","src_user_role","src_user_type","start_time",status,tag,"tag::action","tag::app","tag::eventtype","tag::object_category","temp_access_key",timeendpos,timestartpos,"tlsDetails.cipherSuite","tlsDetails.clientProvidedHostHeader","tlsDetails.tlsVersion",user,userAgent,"userIdentity.accessKeyId","userIdentity.accountId","userIdentity.arn","userIdentity.invokedBy","userIdentity.principalId","userIdentity.sessionContext.attributes.creationDate","userIdentity.sessionContext.attributes.mfaAuthenticated","userIdentity.sessionContext.ec2RoleDelivery","userIdentity.sessionContext.sessionIssuer.accountId","userIdentity.sessionContext.sessionIssuer.arn","userIdentity.sessionContext.sessionIssuer.principalId","userIdentity.sessionContext.sessionIssuer.type","userIdentity.sessionContext.sessionIssuer.userName","userIdentity.type","userIdentity.userName",userName,"user_access_key","user_agent","user_arn","user_group_id","user_id","user_name","user_role","user_type",vendor,"vendor_account","vendor_product","vendor_region" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:34Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739304249"", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""nDFzwn66DVWFAeo6zS/8asc49egXGcA48MXVrYH31966fnavbcwvugRJi94stdk4CSI7fC7WIuA="", ""bytesTransferredOut"": 0}, ""requestID"": ""42RV24EV0R48ZVSS"", ""eventID"": ""07af2978-cb74-4607-8cd1-639169660a48"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:34.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"nDFzwn66DVWFAeo6zS/8asc49egXGcA48MXVrYH31966fnavbcwvugRJi94stdk4CSI7fC7WIuA=",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,20,11,4,february,34,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"07af2978-cb74-4607-8cd1-639169660a48",DeleteBucket,"s3.amazonaws.com","2025-02-11T20:04:34Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",bucket,bucket,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",42RV24EV0R48ZVSS,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304249",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:34Z",success,"change +cloud +endpoint",,,"change +cloud +endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:28Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketWebsite"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]"", ""requestParameters"": {""WebsiteConfiguration"": {""IndexDocument"": {""Suffix"": ""index.html""}, ""xmlns"": ""http://s3.amazonaws.com/doc/2006-03-01/"", ""ErrorDocument"": {""Key"": ""error.html""}}, ""bucketName"": ""test-open-bucket-1739304249"", ""website"": """", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 203, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""jZcuGBVBG4z7iHjB4ra2tDFPP9BJHCxNYgL3h7f5nqm8vc7NsbPLXir7CCGB6Mcutt4gvbpJ/4o="", ""bytesTransferredOut"": 0}, ""requestID"": ""N1FHW450SVHS00GP"", ""eventID"": ""be0db83f-ba3c-43cd-a3da-e686a090557e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:28.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,203,0,,,,,,"jZcuGBVBG4z7iHjB4ra2tDFPP9BJHCxNYgL3h7f5nqm8vc7NsbPLXir7CCGB6Mcutt4gvbpJ/4o=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketWebsite,20,11,4,february,28,tuesday,2025,0,,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"be0db83f-ba3c-43cd-a3da-e686a090557e",PutBucketWebsite,"s3.amazonaws.com","2025-02-11T20:04:28Z",AwsApiCall,"1.11",err0r,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",,unknown,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",N1FHW450SVHS00GP,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","error.html","index.html","http://s3.amazonaws.com/doc/2006-03-01/",,,,,,"test-open-bucket-1739304249",,,,,,,,,,,,,,,,,,,,,,,,,"","arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketWebsite,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:28Z",,error,,,error,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:22Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739304249/*""}]}, ""bucketName"": ""test-open-bucket-1739304249"", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""mON4xLwE0TanIASUQPrVT5tsDHjBZMhHdXKrHbUB2DIetZU/Ir76USUOQDM5THRqc35gsN1Qxos="", ""bytesTransferredOut"": 0}, ""requestID"": ""0B2N5RT4DGQW76AX"", ""eventID"": ""966058bc-97dc-47cb-9ff2-4528f346d4af"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:22.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"mON4xLwE0TanIASUQPrVT5tsDHjBZMhHdXKrHbUB2DIetZU/Ir76USUOQDM5THRqc35gsN1Qxos=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,20,11,4,february,22,tuesday,2025,0,,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"966058bc-97dc-47cb-9ff2-4528f346d4af",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T20:04:22Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",,unknown,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0B2N5RT4DGQW76AX,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304249","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739304249/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:22Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:12Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739304161"", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""K0/xZqd4pQMXWZ8g151Px2lwo+tehey3L6EZiebMkRsoXkTEg+xpXfZuvNa+PDdRKOE0Nwc1+GM="", ""bytesTransferredOut"": 0}, ""requestID"": ""M997YDH6WES456JQ"", ""eventID"": ""5ec4ca53-4261-46a8-8d23-6e70a56e75b7"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:12.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"K0/xZqd4pQMXWZ8g151Px2lwo+tehey3L6EZiebMkRsoXkTEg+xpXfZuvNa+PDdRKOE0Nwc1+GM=",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,20,11,3,february,12,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"5ec4ca53-4261-46a8-8d23-6e70a56e75b7",DeleteBucket,"s3.amazonaws.com","2025-02-11T20:03:12Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",bucket,bucket,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",M997YDH6WES456JQ,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304161",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:12Z",success,"change +cloud +endpoint",,,"change +cloud +endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:06Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketWebsite"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]"", ""requestParameters"": {""WebsiteConfiguration"": {""IndexDocument"": {""Suffix"": ""index.html""}, ""xmlns"": ""http://s3.amazonaws.com/doc/2006-03-01/"", ""ErrorDocument"": {""Key"": ""error.html""}}, ""bucketName"": ""test-open-bucket-1739304161"", ""website"": """", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 203, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""0vVnNszg0YAiVQR5+iigwC3hUa3VEQQqBPnTxa2tCsRcI8Z4XobPsw2mI1BxXKEfbAmqUFUm3+4/taKIoUqdrA=="", ""bytesTransferredOut"": 0}, ""requestID"": ""HSRTD1C99GTQZNRH"", ""eventID"": ""c3919adf-db55-46f3-a76d-1a5b75d2f396"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:06.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,203,0,,,,,,"0vVnNszg0YAiVQR5+iigwC3hUa3VEQQqBPnTxa2tCsRcI8Z4XobPsw2mI1BxXKEfbAmqUFUm3+4/taKIoUqdrA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketWebsite,20,11,3,february,6,tuesday,2025,0,,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"c3919adf-db55-46f3-a76d-1a5b75d2f396",PutBucketWebsite,"s3.amazonaws.com","2025-02-11T20:03:06Z",AwsApiCall,"1.11",err0r,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",,unknown,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",HSRTD1C99GTQZNRH,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","error.html","index.html","http://s3.amazonaws.com/doc/2006-03-01/",,,,,,"test-open-bucket-1739304161",,,,,,,,,,,,,,,,,,,,,,,,,"","arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketWebsite,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:06Z",,error,,,error,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:00Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739304161/*""}]}, ""bucketName"": ""test-open-bucket-1739304161"", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""Patf1UDA0ZiuOQycL8FzGBTBT6WxbRFPGjOY/88nA2dFAdQ+7NBDz9rXr6W62dYekV8f1JdVDlw="", ""bytesTransferredOut"": 0}, ""requestID"": ""ZH126ESC1RX66EG4"", ""eventID"": ""9602ade8-5b79-47e1-902e-ee29a4d16192"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:00.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"Patf1UDA0ZiuOQycL8FzGBTBT6WxbRFPGjOY/88nA2dFAdQ+7NBDz9rXr6W62dYekV8f1JdVDlw=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,20,11,3,february,0,tuesday,2025,0,,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"9602ade8-5b79-47e1-902e-ee29a4d16192",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T20:03:00Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",,unknown,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",ZH126ESC1RX66EG4,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304161","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739304161/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:00Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:11Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ=="", ""bytesTransferredOut"": 0}, ""requestID"": ""0DGNAYT4D0ZNSE9D"", ""eventID"": ""7eaab402-5d05-49ff-a982-0f22ba85e11e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:11.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ==",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,19,11,14,february,11,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"7eaab402-5d05-49ff-a982-0f22ba85e11e",DeleteBucket,"s3.amazonaws.com","2025-02-11T19:14:11Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739301225",bucket,bucket,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0DGNAYT4D0ZNSE9D,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:11Z",success,"change +cloud +endpoint",,,"change +cloud +endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:11Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ=="", ""bytesTransferredOut"": 0}, ""requestID"": ""0DGNAYT4D0ZNSE9D"", ""eventID"": ""7eaab402-5d05-49ff-a982-0f22ba85e11e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:11.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ==",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,19,11,14,february,11,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"7eaab402-5d05-49ff-a982-0f22ba85e11e",DeleteBucket,"s3.amazonaws.com","2025-02-11T19:14:11Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","ip-172-31-26-135",,aws,,1,true,success,"test-open-bucket-1739301225",bucket,bucket,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0DGNAYT4D0ZNSE9D,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:11Z",success,"change +cloud +endpoint",,,"change +cloud +endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:05Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301225/*""}]}, ""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk="", ""bytesTransferredOut"": 0}, ""requestID"": ""BF34WM913J7QAQGH"", ""eventID"": ""7ca37d90-608c-4b7e-aa55-aebaa0234214"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:05.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,14,february,5,tuesday,2025,0,,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"7ca37d90-608c-4b7e-aa55-aebaa0234214",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:14:05Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739301225",,unknown,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",BF34WM913J7QAQGH,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301225/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:05Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:05Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301225/*""}]}, ""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk="", ""bytesTransferredOut"": 0}, ""requestID"": ""BF34WM913J7QAQGH"", ""eventID"": ""7ca37d90-608c-4b7e-aa55-aebaa0234214"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:05.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,14,february,5,tuesday,2025,0,,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"7ca37d90-608c-4b7e-aa55-aebaa0234214",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:14:05Z",AwsApiCall,"1.11",,"ip-172-31-26-135",,aws,,1,true,success,"test-open-bucket-1739301225",,unknown,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",BF34WM913J7QAQGH,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301225/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:05Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:12:42Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""errorCode"": ""AccessDenied"", ""errorMessage"": ""User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: \""arn:aws:s3:::test-open-bucket-1739301151\"" because public policies are blocked by the BlockPublicPolicy block public access setting."", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301151/*""}]}, ""bucketName"": ""test-open-bucket-1739301151"", ""Host"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA=="", ""bytesTransferredOut"": 490}, ""requestID"": ""G7RZAQT65DG2C50D"", ""eventID"": ""0539e786-7b22-4311-816c-526590f6dcbd"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301151""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:12:42.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,490,,,,,,"vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,12,february,42,tuesday,2025,0,,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",AccessDenied,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",Management,"0539e786-7b22-4311-816c-526590f6dcbd",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:12:42Z",AwsApiCall,"1.11","aws_cloudtrail_errors","$decideOnStartup",,aws,,1,true,AccessDenied,"test-open-bucket-1739301151",,unknown,"test-open-bucket-1739301151",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",591511147606,"us-west-2",G7RZAQT65DG2C50D,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301151","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301151/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301151",591511147606,"AWS::S3::Bucket",null,,,,,,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",AccessDenied,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:12:42Z",,"cloud +error",,,"cloud +error",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301151.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" +"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:12:42Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""errorCode"": ""AccessDenied"", ""errorMessage"": ""User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: \""arn:aws:s3:::test-open-bucket-1739301151\"" because public policies are blocked by the BlockPublicPolicy block public access setting."", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301151/*""}]}, ""bucketName"": ""test-open-bucket-1739301151"", ""Host"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA=="", ""bytesTransferredOut"": 490}, ""requestID"": ""G7RZAQT65DG2C50D"", ""eventID"": ""0539e786-7b22-4311-816c-526590f6dcbd"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301151""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:12:42.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,490,,,,,,"vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,12,february,42,tuesday,2025,0,,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",AccessDenied,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",Management,"0539e786-7b22-4311-816c-526590f6dcbd",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:12:42Z",AwsApiCall,"1.11","aws_cloudtrail_errors","ip-172-31-26-135",,aws,,1,true,AccessDenied,"test-open-bucket-1739301151",,unknown,"test-open-bucket-1739301151",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",591511147606,"us-west-2",G7RZAQT65DG2C50D,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301151","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301151/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301151",591511147606,"AWS::S3::Bucket",null,,,,,,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",AccessDenied,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:12:42Z",,"cloud +error",,,"cloud +error",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301151.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" diff --git a/datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml b/datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml new file mode 100644 index 00000000..e8c5643a --- /dev/null +++ b/datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml @@ -0,0 +1,14 @@ +author: Jose Hernandez +id: 984e9022-b87b-499a-a260-8d0282c46ea2 +date: '2025-02-14' +description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv +sourcetypes: +- aws:cloudtrail +references: +- https://attack.mitre.org/techniques/T1485/ +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html +- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/ +- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ From 159580f50d5e96e1dae753f2c7f3299367e18761 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 13 Feb 2025 16:23:51 -0800 Subject: [PATCH 2/6] updating datasets --- .../decommissioned_buckets/cloudtrail.json | 3 ++ .../decommissioned_buckets.yml} | 6 +++- .../T1485/decommissioned_buckets/dns.log | 0 .../T1485/decommissioned_buckets/web.log | 0 .../s3_bucket_deletion/s3_bucket_deletion.csv | 33 ------------------- 5 files changed, 8 insertions(+), 34 deletions(-) create mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json rename datasets/attack_techniques/T1485/{s3_bucket_deletion/simulate_open_bucket.yml => decommissioned_buckets/decommissioned_buckets.yml} (70%) create mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/dns.log create mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/web.log delete mode 100644 datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json b/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json new file mode 100644 index 00000000..3b7f4600 --- /dev/null +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3120f96bef4d9b58c1991d5ef2c95dc64f241ca734c52368274735bfac5f7ee6 +size 16601 diff --git a/datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml similarity index 70% rename from datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml rename to datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index e8c5643a..0a6f2064 100644 --- a/datasets/attack_techniques/T1485/s3_bucket_deletion/simulate_open_bucket.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -4,9 +4,13 @@ date: '2025-02-14' description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/cloudtrail.json +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/dns.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/web.log sourcetypes: - aws:cloudtrail +- dns +- web references: - https://attack.mitre.org/techniques/T1485/ - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log b/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log new file mode 100644 index 00000000..e69de29b diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/web.log b/datasets/attack_techniques/T1485/decommissioned_buckets/web.log new file mode 100644 index 00000000..e69de29b diff --git a/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv b/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv deleted file mode 100644 index 884222b2..00000000 --- a/datasets/attack_techniques/T1485/s3_bucket_deletion/s3_bucket_deletion.csv +++ /dev/null @@ -1,33 +0,0 @@ -"_raw","_time",action,"additionalEventData.AuthenticationMethod","additionalEventData.CipherSuite","additionalEventData.RequestDetails.awsServingRegion","additionalEventData.RequestDetails.endpointType","additionalEventData.SignatureVersion","additionalEventData.bytesTransferredIn","additionalEventData.bytesTransferredOut","additionalEventData.configRuleArn","additionalEventData.configRuleInputParameters","additionalEventData.configRuleName","additionalEventData.managedRuleIdentifier","additionalEventData.notificationJobType","additionalEventData.x-amz-id-2",app,"authentication_method",awsRegion,"aws_account_id","change_type",command,"date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",desc,dest,"dest_ip_range","dest_port_range",direction,dvc,errorCode,errorMessage,eventCategory,eventID,eventName,eventSource,eventTime,eventType,eventVersion,eventtype,host,"image_id",index,"instance_type",linecount,managementEvent,msg,object,"object_attrs","object_category","object_id",product,protocol,"protocol_code",punct,readOnly,reason,recipientAccountId,region,requestID,"requestParameters.Host","requestParameters.WebsiteConfiguration.ErrorDocument.Key","requestParameters.WebsiteConfiguration.IndexDocument.Suffix","requestParameters.WebsiteConfiguration.xmlns","requestParameters.agentName","requestParameters.agentStatus","requestParameters.agentVersion","requestParameters.availabilityZone","requestParameters.availabilityZoneId","requestParameters.bucketName","requestParameters.bucketPolicy.Statement{}.Action","requestParameters.bucketPolicy.Statement{}.Effect","requestParameters.bucketPolicy.Statement{}.Principal","requestParameters.bucketPolicy.Statement{}.Resource","requestParameters.bucketPolicy.Statement{}.Sid","requestParameters.bucketPolicy.Version","requestParameters.computerName","requestParameters.durationSeconds","requestParameters.evaluations{}.complianceResourceId","requestParameters.evaluations{}.complianceResourceType","requestParameters.evaluations{}.complianceType","requestParameters.evaluations{}.orderingTimestamp","requestParameters.iPAddress","requestParameters.instanceId","requestParameters.location","requestParameters.platformName","requestParameters.platformType","requestParameters.platformVersion","requestParameters.policy","requestParameters.resultToken","requestParameters.roleArn","requestParameters.roleSessionName","requestParameters.sSMConnectionChannel","requestParameters.testMode","requestParameters.website","resources{}.ARN","resources{}.accountId","resources{}.type",responseElements,"responseElements.assumedRoleUser.arn","responseElements.assumedRoleUser.assumedRoleId","responseElements.credentials.accessKeyId","responseElements.credentials.expiration","responseElements.credentials.sessionToken",result,"result_id","rule_action",sharedEventID,signature,source,sourceIPAddress,sourcetype,"splunk_server","splunk_server_group",src,"src_ip","src_ip_range","src_port_range","src_user","src_user_id","src_user_name","src_user_role","src_user_type","start_time",status,tag,"tag::action","tag::app","tag::eventtype","tag::object_category","temp_access_key",timeendpos,timestartpos,"tlsDetails.cipherSuite","tlsDetails.clientProvidedHostHeader","tlsDetails.tlsVersion",user,userAgent,"userIdentity.accessKeyId","userIdentity.accountId","userIdentity.arn","userIdentity.invokedBy","userIdentity.principalId","userIdentity.sessionContext.attributes.creationDate","userIdentity.sessionContext.attributes.mfaAuthenticated","userIdentity.sessionContext.ec2RoleDelivery","userIdentity.sessionContext.sessionIssuer.accountId","userIdentity.sessionContext.sessionIssuer.arn","userIdentity.sessionContext.sessionIssuer.principalId","userIdentity.sessionContext.sessionIssuer.type","userIdentity.sessionContext.sessionIssuer.userName","userIdentity.type","userIdentity.userName",userName,"user_access_key","user_agent","user_arn","user_group_id","user_id","user_name","user_role","user_type",vendor,"vendor_account","vendor_product","vendor_region" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:34Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739304249"", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""nDFzwn66DVWFAeo6zS/8asc49egXGcA48MXVrYH31966fnavbcwvugRJi94stdk4CSI7fC7WIuA="", ""bytesTransferredOut"": 0}, ""requestID"": ""42RV24EV0R48ZVSS"", ""eventID"": ""07af2978-cb74-4607-8cd1-639169660a48"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:34.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"nDFzwn66DVWFAeo6zS/8asc49egXGcA48MXVrYH31966fnavbcwvugRJi94stdk4CSI7fC7WIuA=",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,20,11,4,february,34,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"07af2978-cb74-4607-8cd1-639169660a48",DeleteBucket,"s3.amazonaws.com","2025-02-11T20:04:34Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",bucket,bucket,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",42RV24EV0R48ZVSS,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304249",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:34Z",success,"change -cloud -endpoint",,,"change -cloud -endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:28Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketWebsite"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]"", ""requestParameters"": {""WebsiteConfiguration"": {""IndexDocument"": {""Suffix"": ""index.html""}, ""xmlns"": ""http://s3.amazonaws.com/doc/2006-03-01/"", ""ErrorDocument"": {""Key"": ""error.html""}}, ""bucketName"": ""test-open-bucket-1739304249"", ""website"": """", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 203, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""jZcuGBVBG4z7iHjB4ra2tDFPP9BJHCxNYgL3h7f5nqm8vc7NsbPLXir7CCGB6Mcutt4gvbpJ/4o="", ""bytesTransferredOut"": 0}, ""requestID"": ""N1FHW450SVHS00GP"", ""eventID"": ""be0db83f-ba3c-43cd-a3da-e686a090557e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:28.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,203,0,,,,,,"jZcuGBVBG4z7iHjB4ra2tDFPP9BJHCxNYgL3h7f5nqm8vc7NsbPLXir7CCGB6Mcutt4gvbpJ/4o=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketWebsite,20,11,4,february,28,tuesday,2025,0,,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"be0db83f-ba3c-43cd-a3da-e686a090557e",PutBucketWebsite,"s3.amazonaws.com","2025-02-11T20:04:28Z",AwsApiCall,"1.11",err0r,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",,unknown,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",N1FHW450SVHS00GP,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","error.html","index.html","http://s3.amazonaws.com/doc/2006-03-01/",,,,,,"test-open-bucket-1739304249",,,,,,,,,,,,,,,,,,,,,,,,,"","arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketWebsite,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:28Z",,error,,,error,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:04:22Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739304249/*""}]}, ""bucketName"": ""test-open-bucket-1739304249"", ""Host"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""mON4xLwE0TanIASUQPrVT5tsDHjBZMhHdXKrHbUB2DIetZU/Ir76USUOQDM5THRqc35gsN1Qxos="", ""bytesTransferredOut"": 0}, ""requestID"": ""0B2N5RT4DGQW76AX"", ""eventID"": ""966058bc-97dc-47cb-9ff2-4528f346d4af"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304249""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304249.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:04:22.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"mON4xLwE0TanIASUQPrVT5tsDHjBZMhHdXKrHbUB2DIetZU/Ir76USUOQDM5THRqc35gsN1Qxos=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,20,11,4,february,22,tuesday,2025,0,,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"966058bc-97dc-47cb-9ff2-4528f346d4af",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T20:04:22Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304249",,unknown,"test-open-bucket-1739304249",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0B2N5RT4DGQW76AX,"test-open-bucket-1739304249.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304249","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739304249/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739304249",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2010Z_eEeOfZiLWYq75gdT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:04:22Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304249.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:12Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739304161"", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""K0/xZqd4pQMXWZ8g151Px2lwo+tehey3L6EZiebMkRsoXkTEg+xpXfZuvNa+PDdRKOE0Nwc1+GM="", ""bytesTransferredOut"": 0}, ""requestID"": ""M997YDH6WES456JQ"", ""eventID"": ""5ec4ca53-4261-46a8-8d23-6e70a56e75b7"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:12.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"K0/xZqd4pQMXWZ8g151Px2lwo+tehey3L6EZiebMkRsoXkTEg+xpXfZuvNa+PDdRKOE0Nwc1+GM=",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,20,11,3,february,12,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"5ec4ca53-4261-46a8-8d23-6e70a56e75b7",DeleteBucket,"s3.amazonaws.com","2025-02-11T20:03:12Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",bucket,bucket,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",M997YDH6WES456JQ,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304161",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:12Z",success,"change -cloud -endpoint",,,"change -cloud -endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:06Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketWebsite"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]"", ""requestParameters"": {""WebsiteConfiguration"": {""IndexDocument"": {""Suffix"": ""index.html""}, ""xmlns"": ""http://s3.amazonaws.com/doc/2006-03-01/"", ""ErrorDocument"": {""Key"": ""error.html""}}, ""bucketName"": ""test-open-bucket-1739304161"", ""website"": """", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 203, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""0vVnNszg0YAiVQR5+iigwC3hUa3VEQQqBPnTxa2tCsRcI8Z4XobPsw2mI1BxXKEfbAmqUFUm3+4/taKIoUqdrA=="", ""bytesTransferredOut"": 0}, ""requestID"": ""HSRTD1C99GTQZNRH"", ""eventID"": ""c3919adf-db55-46f3-a76d-1a5b75d2f396"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:06.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,203,0,,,,,,"0vVnNszg0YAiVQR5+iigwC3hUa3VEQQqBPnTxa2tCsRcI8Z4XobPsw2mI1BxXKEfbAmqUFUm3+4/taKIoUqdrA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketWebsite,20,11,3,february,6,tuesday,2025,0,,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"c3919adf-db55-46f3-a76d-1a5b75d2f396",PutBucketWebsite,"s3.amazonaws.com","2025-02-11T20:03:06Z",AwsApiCall,"1.11",err0r,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",,unknown,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",HSRTD1C99GTQZNRH,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","error.html","index.html","http://s3.amazonaws.com/doc/2006-03-01/",,,,,,"test-open-bucket-1739304161",,,,,,,,,,,,,,,,,,,,,,,,,"","arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketWebsite,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:06Z",,error,,,error,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-website]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T20:03:00Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739304161/*""}]}, ""bucketName"": ""test-open-bucket-1739304161"", ""Host"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""Patf1UDA0ZiuOQycL8FzGBTBT6WxbRFPGjOY/88nA2dFAdQ+7NBDz9rXr6W62dYekV8f1JdVDlw="", ""bytesTransferredOut"": 0}, ""requestID"": ""ZH126ESC1RX66EG4"", ""eventID"": ""9602ade8-5b79-47e1-902e-ee29a4d16192"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739304161""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739304161.s3.us-west-2.amazonaws.com""}}","2025-02-11T20:03:00.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"Patf1UDA0ZiuOQycL8FzGBTBT6WxbRFPGjOY/88nA2dFAdQ+7NBDz9rXr6W62dYekV8f1JdVDlw=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,20,11,3,february,0,tuesday,2025,0,,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"9602ade8-5b79-47e1-902e-ee29a4d16192",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T20:03:00Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739304161",,unknown,"test-open-bucket-1739304161",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",ZH126ESC1RX66EG4,"test-open-bucket-1739304161.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739304161","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739304161/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739304161",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T2005Z_gypTA4uCf1a3inMT.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T20:03:00Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739304161.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:11Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ=="", ""bytesTransferredOut"": 0}, ""requestID"": ""0DGNAYT4D0ZNSE9D"", ""eventID"": ""7eaab402-5d05-49ff-a982-0f22ba85e11e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:11.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ==",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,19,11,14,february,11,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"7eaab402-5d05-49ff-a982-0f22ba85e11e",DeleteBucket,"s3.amazonaws.com","2025-02-11T19:14:11Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739301225",bucket,bucket,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0DGNAYT4D0ZNSE9D,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:11Z",success,"change -cloud -endpoint",,,"change -cloud -endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:11Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""DeleteBucket"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]"", ""requestParameters"": {""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 0, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ=="", ""bytesTransferredOut"": 0}, ""requestID"": ""0DGNAYT4D0ZNSE9D"", ""eventID"": ""7eaab402-5d05-49ff-a982-0f22ba85e11e"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:11.000+00:00",deleted,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,0,0,,,,,,"AbjkSK4H9QHb9jAjbjsbQxNnjewaMfJa0zGKvyRlPHluCRHbFMIT1Fc8ZakhrsKHh2rqOs8cnZHwzFks4tCnLQ==",AwsApiCall,,"us-west-2",591511147606,storage,DeleteBucket,19,11,14,february,11,tuesday,2025,0,,,,,,"s3.amazonaws.com",success,,Management,"7eaab402-5d05-49ff-a982-0f22ba85e11e",DeleteBucket,"s3.amazonaws.com","2025-02-11T19:14:11Z",AwsApiCall,"1.11","aws_cloudtrail_delete_events aws_cloudtrail_endpoint_change","ip-172-31-26-135",,aws,,1,true,success,"test-open-bucket-1739301225",bucket,bucket,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",0DGNAYT4D0ZNSE9D,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225",,,,,,,,,,,,,,,,,,,,,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,DeleteBucket,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:11Z",success,"change -cloud -endpoint",,,"change -cloud -endpoint",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.delete-bucket]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:05Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301225/*""}]}, ""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk="", ""bytesTransferredOut"": 0}, ""requestID"": ""BF34WM913J7QAQGH"", ""eventID"": ""7ca37d90-608c-4b7e-aa55-aebaa0234214"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:05.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,14,february,5,tuesday,2025,0,,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"7ca37d90-608c-4b7e-aa55-aebaa0234214",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:14:05Z",AwsApiCall,"1.11",,"$decideOnStartup",,aws,,1,true,success,"test-open-bucket-1739301225",,unknown,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",BF34WM913J7QAQGH,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301225/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:05Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:14:05Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301225/*""}]}, ""bucketName"": ""test-open-bucket-1739301225"", ""Host"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk="", ""bytesTransferredOut"": 0}, ""requestID"": ""BF34WM913J7QAQGH"", ""eventID"": ""7ca37d90-608c-4b7e-aa55-aebaa0234214"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301225""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301225.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:14:05.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,0,,,,,,"8opKb/1C9I9aONRRFCsj56/bX38G3lyNjVyvWGbbCTvde4u/8qwFLhzFbQwnJjw3mRbiKSw2nbk=",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,14,february,5,tuesday,2025,0,,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",success,,Management,"7ca37d90-608c-4b7e-aa55-aebaa0234214",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:14:05Z",AwsApiCall,"1.11",,"ip-172-31-26-135",,aws,,1,true,success,"test-open-bucket-1739301225",,unknown,"test-open-bucket-1739301225",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,,591511147606,"us-west-2",BF34WM913J7QAQGH,"test-open-bucket-1739301225.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301225","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301225/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301225",591511147606,"AWS::S3::Bucket",null,,,,,,,,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:14:05Z",,,,,,,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301225.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:12:42Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""errorCode"": ""AccessDenied"", ""errorMessage"": ""User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: \""arn:aws:s3:::test-open-bucket-1739301151\"" because public policies are blocked by the BlockPublicPolicy block public access setting."", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301151/*""}]}, ""bucketName"": ""test-open-bucket-1739301151"", ""Host"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA=="", ""bytesTransferredOut"": 490}, ""requestID"": ""G7RZAQT65DG2C50D"", ""eventID"": ""0539e786-7b22-4311-816c-526590f6dcbd"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301151""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:12:42.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,490,,,,,,"vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,12,february,42,tuesday,2025,0,,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",AccessDenied,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",Management,"0539e786-7b22-4311-816c-526590f6dcbd",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:12:42Z",AwsApiCall,"1.11","aws_cloudtrail_errors","$decideOnStartup",,aws,,1,true,AccessDenied,"test-open-bucket-1739301151",,unknown,"test-open-bucket-1739301151",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",591511147606,"us-west-2",G7RZAQT65DG2C50D,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301151","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301151/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301151",591511147606,"AWS::S3::Bucket",null,,,,,,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",AccessDenied,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:12:42Z",,"cloud -error",,,"cloud -error",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301151.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" -"{""eventVersion"": ""1.11"", ""userIdentity"": {""type"": ""IAMUser"", ""principalId"": ""AIDAYTOGP2RLGWOCTTLJZ"", ""arn"": ""arn:aws:iam::591511147606:user/jose-attackrange"", ""accountId"": ""591511147606"", ""accessKeyId"": ""AKIAYTOGP2RLH3UD4F4T"", ""userName"": ""jose-attackrange""}, ""eventTime"": ""2025-02-11T19:12:42Z"", ""eventSource"": ""s3.amazonaws.com"", ""eventName"": ""PutBucketPolicy"", ""awsRegion"": ""us-west-2"", ""sourceIPAddress"": ""107.206.142.157"", ""userAgent"": ""[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]"", ""errorCode"": ""AccessDenied"", ""errorMessage"": ""User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: \""arn:aws:s3:::test-open-bucket-1739301151\"" because public policies are blocked by the BlockPublicPolicy block public access setting."", ""requestParameters"": {""bucketPolicy"": {""Version"": ""2012-10-17"", ""Statement"": [{""Sid"": ""AllowPublicRead"", ""Effect"": ""Allow"", ""Principal"": ""*"", ""Action"": ""s3:GetObject"", ""Resource"": ""arn:aws:s3:::test-open-bucket-1739301151/*""}]}, ""bucketName"": ""test-open-bucket-1739301151"", ""Host"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com"", ""policy"": """"}, ""responseElements"": null, ""additionalEventData"": {""SignatureVersion"": ""SigV4"", ""CipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""bytesTransferredIn"": 284, ""AuthenticationMethod"": ""AuthHeader"", ""x-amz-id-2"": ""vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA=="", ""bytesTransferredOut"": 490}, ""requestID"": ""G7RZAQT65DG2C50D"", ""eventID"": ""0539e786-7b22-4311-816c-526590f6dcbd"", ""readOnly"": false, ""resources"": [{""accountId"": ""591511147606"", ""type"": ""AWS::S3::Bucket"", ""ARN"": ""arn:aws:s3:::test-open-bucket-1739301151""}], ""eventType"": ""AwsApiCall"", ""managementEvent"": true, ""recipientAccountId"": ""591511147606"", ""eventCategory"": ""Management"", ""tlsDetails"": {""tlsVersion"": ""TLSv1.3"", ""cipherSuite"": ""TLS_AES_128_GCM_SHA256"", ""clientProvidedHostHeader"": ""test-open-bucket-1739301151.s3.us-west-2.amazonaws.com""}}","2025-02-11T19:12:42.000+00:00",,AuthHeader,"TLS_AES_128_GCM_SHA256",,,SigV4,284,490,,,,,,"vHrxjAOMLHFck1r3LqW4iDJ2ce5r7zjP9cqEyvEnfRFjiMf2HJrqVRLVeH7LyWcz0D3eG57xGfoLa0ZyoNROKA==",AwsApiCall,,"us-west-2",591511147606,storage,PutBucketPolicy,19,11,12,february,42,tuesday,2025,0,,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,"s3.amazonaws.com",AccessDenied,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",Management,"0539e786-7b22-4311-816c-526590f6dcbd",PutBucketPolicy,"s3.amazonaws.com","2025-02-11T19:12:42Z",AwsApiCall,"1.11","aws_cloudtrail_errors","ip-172-31-26-135",,aws,,1,true,AccessDenied,"test-open-bucket-1739301151",,unknown,"test-open-bucket-1739301151",CloudTrail,,,"{"""":_""."",_"""":_{"""":_"""",_"""":_"""",_"""":_"":::::/-"",_"""":_",false,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",591511147606,"us-west-2",G7RZAQT65DG2C50D,"test-open-bucket-1739301151.s3.us-west-2.amazonaws.com",,,,,,,,,"test-open-bucket-1739301151","s3:GetObject",Allow,"*","arn:aws:s3:::test-open-bucket-1739301151/*",AllowPublicRead,"2012-10-17",,,,,,,,,,,,,"",,,,,,,"arn:aws:s3:::test-open-bucket-1739301151",591511147606,"AWS::S3::Bucket",null,,,,,,"User: arn:aws:iam::591511147606:user/jose-attackrange is not authorized to perform: s3:PutBucketPolicy on resource: ""arn:aws:s3:::test-open-bucket-1739301151"" because public policies are blocked by the BlockPublicPolicy block public access setting.",AccessDenied,,,PutBucketPolicy,"s3://cloudtrail-research-logs/AWSLogs/591511147606/CloudTrail/us-west-2/2025/02/11/591511147606_CloudTrail_us-west-2_20250211T1920Z_2u54J13dOzLeFH2F.json.gz","107.206.142.157","aws:cloudtrail","ip-172-31-26-135",,"107.206.142.157","107.206.142.157",,,"jose-attackrange",,,,,"2025-02-11T19:12:42Z",,"cloud -error",,,"cloud -error",,,294,274,"TLS_AES_128_GCM_SHA256","test-open-bucket-1739301151.s3.us-west-2.amazonaws.com","TLSv1.3","jose-attackrange","[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]",AKIAYTOGP2RLH3UD4F4T,591511147606,"arn:aws:iam::591511147606:user/jose-attackrange",,AIDAYTOGP2RLGWOCTTLJZ,,,,,,,,,IAMUser,"jose-attackrange","jose-attackrange",AKIAYTOGP2RLH3UD4F4T,"[aws-cli/2.23.13 md/awscrt#0.23.8 ua/2.0 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#s3api.put-bucket-policy]","arn:aws:iam::591511147606:user/jose-attackrange",591511147606,,"jose-attackrange",,IAMUser,"Amazon Web Services",591511147606,"AWS CloudTrail","us-west-2" From 8ce9203a44030bfca93508724b718de6bda3b0b6 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 13 Feb 2025 17:29:18 -0800 Subject: [PATCH 3/6] updating attack data and links --- .../attack_techniques/T1485/decommissioned_buckets/dns.log | 3 +++ .../attack_techniques/T1485/decommissioned_buckets/web.log | 0 .../T1485/decommissioned_buckets/web_cloudfront_access.log | 3 +++ 3 files changed, 6 insertions(+) delete mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/web.log create mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log b/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log index e69de29b..f795d9fd 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f34fa6bcce97ede8a1a65b3f134799b5b850bc1790353e5b19898868b0d29e51 +size 1215 diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/web.log b/datasets/attack_techniques/T1485/decommissioned_buckets/web.log deleted file mode 100644 index e69de29b..00000000 diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log b/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log new file mode 100644 index 00000000..accc8c76 --- /dev/null +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bc6c4d434eeadbd6f7d5524278f9b55ebf7e1e8904b260abd4d2a6a803c9850a +size 517 From a5eb1e44540fc91ecd6ab136892dbceb76103ff1 Mon Sep 17 00:00:00 2001 From: research-bot Date: Thu, 13 Feb 2025 17:32:56 -0800 Subject: [PATCH 4/6] updating yaml --- .../T1485/decommissioned_buckets/decommissioned_buckets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 0a6f2064..60af07bf 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -6,11 +6,11 @@ environment: attack_range dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/cloudtrail.json - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/web.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/web_cloudfront_access.log sourcetypes: - aws:cloudtrail -- dns -- web +- aws:cloudfront:accesslogs +- XmlWinEventLog references: - https://attack.mitre.org/techniques/T1485/ - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html From fad35fc1fb5c60a78f6868c4e0d308388c66edd8 Mon Sep 17 00:00:00 2001 From: research-bot Date: Fri, 14 Feb 2025 12:42:15 -0800 Subject: [PATCH 5/6] yaml updates --- .../T1485/decommissioned_buckets/decommissioned_buckets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 60af07bf..96bb423b 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -1,4 +1,4 @@ -author: Jose Hernandez +author: Jose Hernandez, Bhavin Patel id: 984e9022-b87b-499a-a260-8d0282c46ea2 date: '2025-02-14' description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. From 16b846854db1e1693c38041b19f5893d63881e6d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 18 Feb 2025 08:10:23 -0800 Subject: [PATCH 6/6] Update decommissioned_buckets.yml --- .../T1485/decommissioned_buckets/decommissioned_buckets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 96bb423b..0ffd13cc 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -4,9 +4,9 @@ date: '2025-02-14' description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/T1485/decommissioned_buckets/web_cloudfront_access.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log sourcetypes: - aws:cloudtrail - aws:cloudfront:accesslogs