AWS IAM S3Browser Templated S3 Bucket Policy Creation

Jun 4, 2025 · attack.execution attack.t1059.009 attack.persistence attack.t1078.004 ·

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Sigma rule (View on GitHub)

 1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
 2id: db014773-7375-4f4e-b83b-133337c0ffee
 3status: test
 4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9tags:
10    - attack.execution
11    - attack.t1059.009
12    - attack.persistence
13    - attack.t1078.004
14logsource:
15    product: aws
16    service: cloudtrail
17detection:
18    selection:
19        eventSource: iam.amazonaws.com
20        eventName: PutUserPolicy
21        userAgent|contains: 'S3 Browser'
22        requestParameters|contains|all:
23            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
24            - '"s3:GetObject"'
25            - '"Allow"'
26    condition: selection
27falsepositives:
28    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
29level: high

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).

Read More

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Sigma rule (View on GitHub)

References

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Related rules