AWS IAM S3Browser Templated S3 Bucket Policy Creation

Aug 12, 2024 · attack.execution attack.t1059.009 attack.persistence attack.t1078.004 ·

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Sigma rule (View on GitHub)

 1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
 2id: db014773-7375-4f4e-b83b-133337c0ffee
 3status: test
 4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9modified: 2023-05-17
10tags:
11    - attack.execution
12    - attack.t1059.009
13    - attack.persistence
14    - attack.t1078.004
15logsource:
16    product: aws
17    service: cloudtrail
18detection:
19    selection:
20        eventSource: iam.amazonaws.com
21        eventName: PutUserPolicy
22        userAgent|contains: 'S3 Browser'
23        requestParameters|contains|all:
24            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
25            - '"s3:GetObject"'
26            - '"Allow"'
27    condition: selection
28falsepositives:
29    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
30level: high

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).

Read More

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Sigma rule (View on GitHub)

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Related rules