AWS IAM S3Browser LoginProfile Creation

Aug 12, 2024 · attack.execution attack.persistence attack.t1059.009 attack.t1078.004 ·

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Sigma rule (View on GitHub)

 1title: AWS IAM S3Browser LoginProfile Creation
 2id: db014773-b1d3-46bd-ba26-133337c0ffee
 3status: test
 4description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9tags:
10    - attack.execution
11    - attack.persistence
12    - attack.t1059.009
13    - attack.t1078.004
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: 'iam.amazonaws.com'
20        eventName:
21            - 'GetLoginProfile'
22            - 'CreateLoginProfile'
23        userAgent|contains: 'S3 Browser'
24    condition: selection
25falsepositives:
26    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
27level: high

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).

Read More

AWS IAM S3Browser LoginProfile Creation

Sigma rule (View on GitHub)

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Related rules