Detection rules › Splunk
Detect DNS Query to Decommissioned S3 Bucket
This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: tstats
tstats WHERE DNS.message_type="QUERY" BY DNS.answer, DNS.answer_count, DNS.query, DNS.query_count, DNS.reply_code_id, DNS.src, DNS.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: eval
eval ... using (query)
Stage 6: lookup
lookup <lookup> bucketName, bucket_domain, match
Stage 7: where
where isnotnull(match)
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DNS.message_type | eq |
|