AWS IAM S3Browser Templated S3 Bucket Policy Creation

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Sigma rule (View on GitHub)

 1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
 2id: db014773-7375-4f4e-b83b-133337c0ffee
 3status: test
 4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9tags:
10    - attack.execution
11    - attack.t1059.009
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.initial-access
15    - attack.privilege-escalation
16    - attack.t1078.004
17logsource:
18    product: aws
19    service: cloudtrail
20detection:
21    selection:
22        eventSource: iam.amazonaws.com
23        eventName: PutUserPolicy
24        userAgent|contains: 'S3 Browser'
25        requestParameters|contains|all:
26            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
27            - '"s3:GetObject"'
28            - '"Allow"'
29    condition: selection
30falsepositives:
31    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
32level: high

References

Related rules

to-top