AWS API Activity from Uncommon S3 Client by Rare User

  1[metadata]
  2creation_date = "2026/02/09"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This
 11rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download
 12capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by
 13threat actors for data exfiltration. Any activity from these clients should be validated against authorized data
 14transfer workflows.
 15"""
 16false_positives = [
 17    """
 18    Some organizations may have legitimate use cases for S3 Browser or Cyberduck, particularly in development, data
 19    migration, or backup scenarios. Verify whether the IAM principal, source network, and accessed buckets align with
 20    approved workflows. Unexpected activity from these clients, especially accessing sensitive buckets, should be
 21    investigated.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS API Activity from Uncommon S3 Client by Rare User"
 29note = """## Triage and Analysis
 30
 31### Investigating AWS API Activity from Uncommon S3 Client by Rare User
 32
 33S3 Browser and Cyberduck are graphical clients for Amazon S3 that allow users to browse, upload, download, and manage S3 objects. While legitimate tools, they are uncommonly used in enterprise environments where organizations typically standardize on AWS CLI, SDKs, or console access. The presence of these tools may indicate unauthorized data access or exfiltration activity.
 34
 35This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies the first time a specific user within an account makes API calls using S3 Browser or Cyberduck user agent strings. Threat actors have been observed using these tools for their intuitive interface and bulk data transfer capabilities during post-compromise data theft operations.
 36
 37### Possible investigation steps
 38
 39- **Identify the actor**
 40  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM principal was used.
 41  - Check whether this principal normally accesses S3 and whether usage of these desktop clients is expected or authorized.
 42
 43- **Review accessed resources**
 44  - Examine `aws.cloudtrail.resources.arn` to identify which S3 buckets and objects were accessed.
 45  - Determine whether the accessed data is sensitive, confidential, or subject to data protection policies.
 46  - Look for patterns indicating bulk downloads or systematic enumeration of bucket contents.
 47
 48- **Analyze the actions performed**
 49  - Review `event.action` to understand what operations were performed (e.g., `GetObject`, `ListBucket`, `PutObject`).
 50  - High volumes of `GetObject` calls may indicate data exfiltration.
 51  - `PutObject` calls to external buckets could indicate data staging for exfiltration.
 52
 53- **Inspect source network context**
 54  - Review `source.ip` and `source.geo` fields to determine the origin of the request.
 55  - Check whether the IP belongs to corporate infrastructure, VPN, or an unexpected external location.
 56  - External IPs combined with these desktop client tools are high-risk indicators.
 57
 58- **Correlate with surrounding activity**
 59  - Search for additional CloudTrail events from the same access key or session.
 60  - Look for preceding credential theft indicators such as `GetSecretValue`, `CreateAccessKey`, or console logins.
 61  - Check for cross-account transfers or `CreateBucket` calls in external accounts.
 62
 63### False positive analysis
 64
 65- **Authorized data migration or backup activities** may use these tools. Confirm with data engineering or IT teams.
 66- **Developer testing** in non-production environments may occasionally involve these clients. Validate the environment and data sensitivity.
 67- **Third-party integrations** using Cyberduck libraries may generate this user agent. Verify the automation context.
 68
 69### Response and remediation
 70
 71- **If unauthorized**, immediately revoke or rotate the affected access keys and invalidate active sessions.
 72- **Assess data exposure** by reviewing which objects were accessed and determining if sensitive data was compromised.
 73- **Notify security operations** and initiate incident response procedures if exfiltration is confirmed.
 74- **Implement preventive controls** such as S3 bucket policies restricting access by user agent or requiring VPC endpoints.
 75
 76### Additional information
 77- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 78- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
 79- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 80"""
 81references = [
 82    "https://s3browser.com/",
 83    "https://cyberduck.io/",
 84    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
 85    "https://attackevals.github.io/ael/enterprise/scattered_spider/emulation_plan/scattered_spider_scenario/",
 86]
 87risk_score = 21
 88rule_id = "73344d2d-9cfb-4daf-b3c5-1d40a8182b86"
 89severity = "low"
 90tags = [
 91    "Domain: Cloud",
 92    "Data Source: AWS",
 93    "Data Source: Amazon Web Services",
 94    "Data Source: AWS CloudTrail",
 95    "Data Source: AWS S3",
 96    "Tactic: Exfiltration",
 97    "Use Case: Threat Detection",
 98    "Resources: Investigation Guide",
 99]
100timestamp_override = "event.ingested"
101type = "new_terms"
102
103query = '''
104event.dataset: "aws.cloudtrail"
105    and user_agent.original: (*S3 Browser* or *Cyberduck*)
106    and event.outcome: "success"
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1567"
114name = "Exfiltration Over Web Service"
115reference = "https://attack.mitre.org/techniques/T1567/"
116[[rule.threat.technique.subtechnique]]
117id = "T1567.002"
118name = "Exfiltration to Cloud Storage"
119reference = "https://attack.mitre.org/techniques/T1567/002/"
120
121
122
123[rule.threat.tactic]
124id = "TA0010"
125name = "Exfiltration"
126reference = "https://attack.mitre.org/tactics/TA0010/"
127
128[rule.investigation_fields]
129field_names = [
130    "@timestamp",
131    "user.name",
132    "user_agent.original",
133    "source.ip",
134    "aws.cloudtrail.user_identity.arn",
135    "aws.cloudtrail.user_identity.type",
136    "aws.cloudtrail.user_identity.access_key_id",
137    "aws.cloudtrail.resources.arn",
138    "aws.cloudtrail.resources.type",
139    "event.action",
140    "event.outcome",
141    "cloud.account.id",
142    "cloud.region",
143    "aws.cloudtrail.request_parameters",
144    "aws.cloudtrail.response_elements",
145]
146
147[rule.new_terms]
148field = "new_terms_fields"
149value = ["cloud.account.id", "user.name"]
150[[rule.new_terms.history_window_start]]
151field = "history_window_start"
152value = "now-7d"