AWS IAM S3Browser User or AccessKey Creation

 1title: AWS IAM S3Browser User or AccessKey Creation
 2id: db014773-d9d9-4792-91e5-133337c0ffee
 3status: test
 4description: Detects S3 Browser utility creating IAM User or AccessKey.
 5references:
 6    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 7author: daniel.bohannon@permiso.io (@danielhbohannon)
 8date: 2023-05-17
 9tags:
10    - attack.privilege-escalation
11    - attack.execution
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.initial-access
15    - attack.t1059.009
16    - attack.t1078.004
17logsource:
18    product: aws
19    service: cloudtrail
20detection:
21    selection:
22        eventSource: 'iam.amazonaws.com'
23        eventName:
24            - 'CreateUser'
25            - 'CreateAccessKey'
26        userAgent|contains: 'S3 Browser'
27    condition: selection
28falsepositives:
29    - Valid usage of S3 Browser for IAM User and/or AccessKey creation
30level: high

References

• Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

  

  Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).

  
  Read More

Related rules

• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• AWS Root Credentials
• AWS SAML Provider Deletion Activity
• AWS Successful Console Login Without MFA