Use Case: Cloud Threat Detection | Detection.FYI

AWS S3 Static Site JavaScript File Uploaded

Apr 10, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS S3 Tactic: Impact Use Case: Web Application Compromise Use Case: Cloud Threat Detection Resources: Investigation Guide ·
Share on:

This rule detects when a JavaScript file is uploaded in an S3 static site directory (static/js/) by an IAM user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a static website frontend.

Read More
AWS Suspicious User Agent Fingerprint

Apr 10, 2026 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS CloudTrail Tactic: Initial Access Use Case: Cloud Threat Detection Resources: Investigation Guide ·
Share on:

Identifies successful AWS API calls where the CloudTrail user agent indicates offensive tooling or automated credential verification. This includes the AWS CLI or Boto3 reporting a Kali Linux distribution fingerprint (distrib#kali), and clients that identify as TruffleHog, which is commonly used to validate leaked secrets against live AWS APIs. These patterns are uncommon for routine production workloads and may indicate compromised credentials, unauthorized access, or security tooling operating outside approved scope.

Read More