AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "
Sigma rule (View on GitHub)
1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
2id: db014773-7375-4f4e-b83b-133337c0ffee
3status: test
4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
5references:
6 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
7author: daniel.bohannon@permiso.io (@danielhbohannon)
8date: 2023-05-17
9tags:
10 - attack.execution
11 - attack.t1059.009
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.initial-access
15 - attack.privilege-escalation
16 - attack.t1078.004
17logsource:
18 product: aws
19 service: cloudtrail
20detection:
21 selection:
22 eventSource: iam.amazonaws.com
23 eventName: PutUserPolicy
24 userAgent|contains: 'S3 Browser'
25 requestParameters|contains|all:
26 - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
27 - '"s3:GetObject"'
28 - '"Allow"'
29 condition: selection
30falsepositives:
31 - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
32level: high
References
-
Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity
- AWS Successful Console Login Without MFA