AWS S3 Static Site JavaScript File Uploaded

  1[metadata]
  2creation_date = "2025/04/15"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects when a JavaScript file is uploaded in an S3 static site directory (`static/js/`) by an IAM
 11user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious
 12scripts into a static website frontend.
 13"""
 14false_positives = [
 15    """
 16    Development or deployment pipelines that update static frontends frequently (e.g., React/Vue apps) may trigger this.
 17    Verify the user agent, source IP, and whether the modification was expected.
 18    """,
 19]
 20from = "now-6m"
 21language = "esql"
 22license = "Elastic License v2"
 23name = "AWS S3 Static Site JavaScript File Uploaded"
 24note = """## Triage and Analysis
 25
 26### Investigating AWS S3 Static Site JavaScript File Uploaded
 27
 28An S3 `PutObject` action that targets a path like `static/js/` and uploads a `.js` file is a potential signal for web content modification. If done by an unexpected IAM user or outside of CI/CD workflows, it may indicate a compromise.
 29
 30#### Possible Investigation Steps
 31
 32- **Identify the Source User**: Check `aws.cloudtrail.user_identity.arn`, access key ID, and session type (`IAMUser`, `AssumedRole`, etc).
 33- **Review File Content**: Use the S3 `GetObject` or CloudTrail `requestParameters` to inspect the uploaded file for signs of obfuscation or injection.
 34- **Correlate to Other Events**: Review events from the same IAM user before and after the upload (e.g., `ListBuckets`, `GetCallerIdentity`, IAM activity).
 35- **Look for Multiple Uploads**: Attackers may attempt to upload several files or modify multiple directories.
 36
 37### False Positive Analysis
 38
 39- This behavior may be expected during app deployments. Look at:
 40  - The `user_agent.original` to detect legitimate CI tools (like Terraform or GitHub Actions).
 41  - Timing patterns—does this match a regular release window?
 42  - The origin IP and device identity.
 43
 44### Response and Remediation
 45
 46- **Revert Malicious Code**: Replace the uploaded JS file with a clean version and invalidate CloudFront cache if applicable.
 47- **Revoke Access**: If compromise is confirmed, revoke the IAM credentials and disable the user.
 48- **Audit IAM Policies**: Ensure that only deployment users can modify static site buckets.
 49- **Enable Bucket Versioning**: This can allow for quick rollback and historical review.
 50"""
 51references = [
 52    "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/",
 53    "https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html",
 54    "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html",
 55]
 56risk_score = 47
 57rule_id = "16acac42-b2f9-4802-9290-d6c30914db6e"
 58severity = "medium"
 59tags = [
 60    "Domain: Cloud",
 61    "Data Source: AWS",
 62    "Data Source: Amazon Web Services",
 63    "Data Source: AWS S3",
 64    "Tactic: Impact",
 65    "Use Case: Web Application Compromise",
 66    "Use Case: Cloud Threat Detection",
 67    "Resources: Investigation Guide",
 68]
 69timestamp_override = "event.ingested"
 70type = "esql"
 71
 72query = '''
 73from logs-aws.cloudtrail* metadata _id, _version, _index
 74
 75| where
 76    // S3 object write activity
 77    event.dataset == "aws.cloudtrail"
 78    and event.provider == "s3.amazonaws.com"
 79    and event.action == "PutObject"
 80    and event.outcome == "success"
 81
 82    // IAM users or assumed roles only
 83    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
 84
 85    // Requests for static site bundles
 86    and aws.cloudtrail.request_parameters like "*static/js/*.js*"
 87
 88    // Exclude IaC and automation tools
 89    and not (
 90        user_agent.original like "*Terraform*"
 91        or user_agent.original like "*Ansible*"
 92        or user_agent.original like "*Pulumi*"
 93    )
 94
 95// Extract fields from request parameters
 96| dissect aws.cloudtrail.request_parameters
 97    "%{{?bucket.name.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_name}, %{?host.key}=%{Esql_priv.aws_cloudtrail_request_parameters_host}, %{?bucket.object.location.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_object_location}}"
 98
 99// Extract file name portion from full object path
100| dissect Esql.aws_cloudtrail_request_parameters_bucket_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"
101
102// Match on JavaScript files
103| where ends_with(Esql.aws_cloudtrail_request_parameters_object_key, ".js")
104
105// Retain relevant ECS and dissected fields
106| keep
107    aws.cloudtrail.user_identity.arn,
108    aws.cloudtrail.user_identity.access_key_id,
109    aws.cloudtrail.user_identity.type,
110    aws.cloudtrail.request_parameters,
111    Esql.aws_cloudtrail_request_parameters_bucket_name,
112    Esql.aws_cloudtrail_request_parameters_object_key,
113    user_agent.original,
114    source.ip,
115    event.action,
116    @timestamp
117'''
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1565"
124name = "Data Manipulation"
125reference = "https://attack.mitre.org/techniques/T1565/"
126[[rule.threat.technique.subtechnique]]
127id = "T1565.001"
128name = "Stored Data Manipulation"
129reference = "https://attack.mitre.org/techniques/T1565/001/"
130
131[rule.threat.tactic]
132id = "TA0040"
133name = "Impact"
134reference = "https://attack.mitre.org/tactics/TA0040/"
135
136[rule.investigation_fields]
137field_names = [
138    "@timestamp",
139    "user.name",
140    "user_agent.original",
141    "source.ip",
142    "aws.cloudtrail.user_identity.arn",
143    "aws.cloudtrail.user_identity.type",
144    "aws.cloudtrail.user_identity.access_key_id",
145    "aws.cloudtrail.resources.arn",
146    "aws.cloudtrail.resources.type",
147    "event.action",
148    "event.outcome",
149    "cloud.account.id",
150    "cloud.region",
151    "aws.cloudtrail.request_parameters",
152    "aws.cloudtrail.response_elements"
153]