Goody goodycy3
🏠
goodycy3
/ Attempts to perform recon actions on accounts.csv
Created
February 6, 2024 17:44
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "eventtime","user_arn","eventname","awsregion","sourceipaddress","errorcode","request_count","useragent" | |
| "2019-06-25T04:00:21Z","arn:aws:iam::811596193553:user/Level6","DescribeInstances","us-west-1","45.250.7.228",,"28","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.170" | |
| "2019-06-25T03:38:59Z","arn:aws:iam::811596193553:user/Level6","DescribeInstances","us-west-1","45.250.7.228",,"26","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.170" | |
| "2019-06-25T03:58:25Z","arn:aws:iam::811596193553:user/Level6","DescribeInstances","us-west-1","45.250.7.228",,"24","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.170" | |
| "2019-06-25T03:58:11Z","arn:aws:iam::811596193553:user/Level6","DescribeInstances","us-west-1","45.250.7.228",,"22","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.170" | |
| "2019-06-25T04:00:02Z","arn:aws:iam::811596193553:user/Level6","DescribeInstances","us-west-1","45.250.7.228",,"22","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0- |
goodycy3
/ Brute force attempts to assume roles.csv
Created
February 6, 2024 17:43
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 6.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "eventtime","user_arn","user_type","eventname","awsregion","errorcode","sourceipaddress","useragent","attempt_count" | |
| "2020-05-05T18:05:46Z","arn:aws:iam::811596193553:user/backup","IAMUser","AssumeRole","us-east-1","AccessDenied","217.242.1.56","Boto3/1.12.47 Python/3.8.1 Darwin/19.4.0 Botocore/1.15.47","42" | |
| "2018-09-21T09:21:43Z","arn:aws:iam::811596193553:user/backup","IAMUser","AssumeRole","us-east-1","AccessDenied","125.22.29.57","Boto3/1.7.84 Python/2.7.10 Darwin/16.7.0 Botocore/1.10.84","24" | |
| "2018-09-21T09:21:46Z","arn:aws:iam::811596193553:user/backup","IAMUser","AssumeRole","us-east-1","AccessDenied","125.22.29.57","Boto3/1.7.84 Python/2.7.10 Darwin/16.7.0 Botocore/1.10.84","24" | |
| "2020-05-05T18:00:17Z","arn:aws:iam::811596193553:user/backup","IAMUser","AssumeRole","us-east-1","AccessDenied","217.242.1.56","Boto3/1.12.47 Python/3.8.1 Darwin/19.4.0 Botocore/1.15.47","23" | |
| "2020-05-05T18:00:16Z","arn:aws:iam::811596193553:user/backup","IAMUser","AssumeRole","us-east-1","AccessDenied","217.242.1.56","Boto3/ |
goodycy3
/ Identifying Creation of public S3 buckets.csv
Created
February 6, 2024 17:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| eventtime | user_arn | bucketName | bucket_acl | sourceipaddress | eventname | awsregion | acl_details | useragent | |
|---|---|---|---|---|---|---|---|---|---|
| 2020-09-22T02:00:15Z | "flaws.cloud" | "" | 254.9.176.211 | PutBucketAcl | us-west-2 | [Boto3/1.4.7 Python/2.7.16 Linux/4.15.0-66-generic Botocore/1.7.48] | |||
| 2020-09-23T02:00:17Z | "flaws.cloud" | "" | 254.9.176.211 | PutBucketAcl | us-west-2 | [Boto3/1.4.7 Python/2.7.16 Linux/4.15.0-66-generic Botocore/1.7.48] | |||
| 2020-09-23T17:11:39Z | "flaws.cloud" | "" | 1.250.4.5 | PutBucketAcl | us-west-2 | [Boto3/1.14.13 Python/3.8.5 Linux/5.6.0-kali2-amd64 Botocore/1.17.13] | |||
| 2020-09-23T17:15:25Z | "flaws.cloud" | "" | 250.26.255.4 | PutBucketAcl | us-west-2 | [Boto3/1.14.13 Python/3.8.5 Linux/5.6.0-kali2-amd64 Botocore/1.17.13] | |||
| 2020-09-24T02:00:11Z | "flaws.cloud" | "" | 254.9.176.211 | PutBucketAcl | us-west-2 | [Boto3/1.4.7 Python/2.7.16 Linux/4.15.0-66-generic Botocore/1.7.48] | |||
| 2020-09-26T02:00:17Z | "flaws.cloud" | "" | 254.9.176.211 | PutBucketAcl | us-west-2 |
goodycy3
/ Hunting for permanent key creation.csv
Created
February 6, 2024 17:41
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 5.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "eventTime","eventName","sourceIPAddress","arn","createDate","status","accessKeyId","errorCode","errorMessage" | |
| "2018-08-11T17:40:25Z","CreateAccessKey","3.250.51.250","arn:aws:iam::811596193553:user/Level6",,,,"AccessDenied","User: arn:aws:iam::811596193553:user/Level6 is not authorized to perform: iam:CreateAccessKey on resource: user nullLevel6" | |
| "2018-08-11T17:40:25Z","CreateAccessKey","3.250.51.250","arn:aws:iam::811596193553:user/Level6",,,,"AccessDenied","User: arn:aws:iam::811596193553:user/Level6 is not authorized to perform: iam:CreateAccessKey on resource: user nullLevel6" | |
| "2018-08-11T17:40:26Z","CreateAccessKey","3.250.51.250","arn:aws:iam::811596193553:user/backup",,,,"AccessDenied","User: arn:aws:iam::811596193553:user/backup is not authorized to perform: iam:CreateAccessKey on resource: user nullbackup" | |
| "2018-10-04T17:14:11Z","CreateAccessKey","117.188.2.147","arn:aws:iam::811596193553:user/Level6",,,,"AccessDenied","User: arn:aws:iam::811596193553:user/Level6 is not authorized to perform: iam:Cr |
goodycy3
/ Hunting for suspicious user agents.csv
Created
February 6, 2024 17:40
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "request_count","sourceIPAddress","eventName","useragent","awsRegion","first_seen","last_seen" | |
| "6596","45.250.7.228","DescribeSnapshotAttribute","Boto3/1.9.86 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.170","us-west-1","2019-06-25T04:29:46Z","2019-06-25T04:54:03Z" | |
| "5420","240.252.161.77","ListPolicyVersions","Boto3/1.9.171 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.171","us-east-1","2019-07-30T20:28:45Z","2019-07-31T21:35:26Z" | |
| "5134","240.252.161.77","GetPolicyVersion","Boto3/1.9.171 Python/3.7.3 Linux/5.1.0-parrot1-3t-amd64 Botocore/1.12.171","us-east-1","2019-07-30T21:36:44Z","2019-07-31T21:35:47Z" | |
| "3580","84.252.252.117","DescribeReservedInstancesOfferings","AWSPowerShell/3.3.365.0 .NET_Runtime/4.0 .NET_Framework/4.0 OS/Microsoft_Windows_NT_10.0.01985.0 WindowsPowerShell/5.0 ClientSync","us-west-2","2019-04-01T00:02:53Z","2019-04-01T00:33:10Z" | |
| "2935","237.87.246.92","GetBucketAcl","[aws-cli/1.16.301 Python/3.7.6 Linux/5.4.0-kali3-amd64 botocore/1.13.37]","us-west-2","2020-03-24T11 |
goodycy3
/ Hunting for S3 Buckets Brute Force.csv
Created
February 6, 2024 17:29
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 9.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "sourceIPAddress","eventName","eventSource","awsRegion","request_count","first_attempt_time","last_attempt_time" | |
| "193.29.252.218","GetBucketAcl","s3.amazonaws.com","us-west-2","23468","2019-10-21T13:59:40Z","2020-10-07T21:03:30Z" | |
| "237.87.246.92","GetBucketAcl","s3.amazonaws.com","us-west-2","2945","2020-03-21T03:56:21Z","2020-03-30T05:36:10Z" | |
| "3.83.9.50","GetBucketAcl","s3.amazonaws.com","us-east-1","2816","2018-07-31T13:10:14Z","2018-07-31T15:25:38Z" | |
| "236.9.245.88","GetBucketAcl","s3.amazonaws.com","us-west-2","2512","2018-07-30T08:04:55Z","2018-11-20T08:54:19Z" | |
| "236.9.245.88","GetBucketAcl","s3.amazonaws.com","us-east-1","1814","2018-07-30T08:07:30Z","2018-10-16T10:13:16Z" | |
| "5.189.203.97","GetBucketAcl","s3.amazonaws.com","us-west-2","1604","2020-03-26T02:57:49Z","2020-03-26T04:43:13Z" | |
| "236.9.245.88","GetBucketAcl","s3.amazonaws.com","ap-northeast-1","1094","2018-07-30T08:11:56Z","2018-10-16T10:13:24Z" | |
| "0.52.31.206","GetBucketAcl","s3.amazonaws.com","us-west-2","648","2019-06-20T19:35:22Z","2019-08-02T17:45: |
goodycy3
/ Hunting for xlarge EC2 Instances.csv
Created
February 6, 2024 17:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| instance_type | count | |
|---|---|---|
| i3.metal | 34841 | |
| p2.16xlarge | 18199 | |
| p2.8xlarge | 14636 | |
| p2.xlarge | 11675 | |
| m4.large | 11644 | |
| r4.xlarge | 11568 | |
| m3.xlarge | 11510 | |
| m3.large | 11487 | |
| m4.xlarge | 11480 |
goodycy3
/ Hunting for access secret in Secrets Manager.csv
Created
February 6, 2024 17:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user_arn | errorMessage | errorCode | sourceIPAddress | userAgent | |
|---|---|---|---|---|---|
| arn:aws:iam::811596193553:user/backup | User: arn:aws:iam::811596193553:user/backup is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:811596193553:secret:AppEncryptionKey-73a0iL | AccessDenied | 250.255.33.75 | Boto3/1.11.9 Python/3.7.3 Darwin/18.7.0 Botocore/1.14.9 |
goodycy3
/ Efforts to compromise accounts by creating IAM users.csv
Created
February 6, 2024 17:22
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 9.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "eventTime","eventName","awsRegion","arn","type","requestParameters" | |
| "2020-08-21T07:52:29Z","CreateUser","us-east-1","arn:aws:sts::811596193553:assumed-role/aws:ec2-instance/i-aa2d3b42e5c6e801a","AssumedRole","null" | |
| "2020-08-21T07:49:02Z","CreateUser","us-east-1","arn:aws:sts::811596193553:assumed-role/aws:ec2-instance/i-aa2d3b42e5c6e801a","AssumedRole","null" | |
| "2020-08-21T07:41:41Z","CreateUser","us-east-1","arn:aws:sts::811596193553:assumed-role/aws:ec2-instance/i-aa2d3b42e5c6e801a","AssumedRole","null" | |
| "2020-04-18T14:43:59Z","CreateUser","us-east-1","arn:aws:iam::811596193553:user/backup","IAMUser","null" | |
| "2020-03-04T20:06:40Z","CreateUser","us-east-1","arn:aws:iam::811596193553:user/Level6","IAMUser","null" | |
| "2019-09-30T06:36:15Z","CreateUser","us-east-1","arn:aws:iam::811596193553:user/backup","IAMUser","null" | |
| "2019-09-30T06:36:10Z","CreateUser","us-east-1","arn:aws:iam::811596193553:user/Level6","IAMUser","null" | |
| "2019-09-17T07:28:01Z","CreateUser","us-east-1","arn:aws:iam::811596193553:user/backup","IAMUs |
goodycy3
/ Hunting for “whoami”.csv
Created
February 6, 2024 17:21
We can't make this file beautiful and searchable because it's too large.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "occurrences","user_arn","source_ip_address","user_agent" | |
| "1206","arn:aws:iam::811596193553:user/backup","5.205.62.253","Boto3/1.9.201 Python/2.7.12 Linux/4.4.0-157-generic Botocore/1.12.201" | |
| "1202","arn:aws:iam::811596193553:user/Level6","5.205.62.253","Boto3/1.9.201 Python/2.7.12 Linux/4.4.0-157-generic Botocore/1.12.201" | |
| "1148","arn:aws:iam::811596193553:user/backup","5.205.62.253","Boto3/1.9.201 Python/2.7.12 Linux/4.4.0-159-generic Botocore/1.12.201" | |
| "1141","arn:aws:iam::811596193553:user/Level6","5.205.62.253","Boto3/1.9.201 Python/2.7.12 Linux/4.4.0-159-generic Botocore/1.12.201" | |
| "210","arn:aws:sts::811596193553:assumed-role/flaws/i-aa2d3b42e5c6e801a","42.157.9.48","aws-cli/1.16.209 Python/2.7.14 Darwin/18.6.0 botocore/1.12.199" | |
| "192","arn:aws:iam::811596193553:user/Level6","253.252.7.168","aws-cli/1.16.148 Python/3.6.8 Linux/4.19.0-kali3-amd64 botocore/1.12.138" | |
| "181","arn:aws:iam::811596193553:user/backup","155.63.17.217","Boto3/1.7.4 Python/2.7.12 Linux/4.4.0-119-generic Botocore/1.10.4" | |
| "138","arn: |
NewerOlder