Google Cloud Storage Bucket contents downloaded without authentication

gcp

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1530-data-from-cloud-storage

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect unauthenticated access to an object in a GCS bucket (bucket_name).

Strategy

Monitor GCS bucket (bucket_name) for get requests(@evt.name:storage.objects.get) made by unauthenticated users (@usr.id).

Triage and response

Investigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.

Changelog

  • 27 October 2022 - updated tags.