AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "
Sigma rule (View on GitHub)
1title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
2id: db014773-7375-4f4e-b83b-133337c0ffee
3status: test
4description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
5references:
6 - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
7author: daniel.bohannon@permiso.io (@danielhbohannon)
8date: 2023/05/17
9modified: 2023/05/17
10tags:
11 - attack.execution
12 - attack.t1059.009
13 - attack.persistence
14 - attack.t1078.004
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventSource: iam.amazonaws.com
21 eventName: PutUserPolicy
22 userAgent|contains: 'S3 Browser'
23 requestParameters|contains|all:
24 - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
25 - '"s3:GetObject"'
26 - '"Allow"'
27 condition: selection
28falsepositives:
29 - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
30level: high
References
-
Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser User or AccessKey Creation
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Github New Secret Created
- Github Self Hosted Runner Changes Detected