AWS IAM activity by S3 browser utility

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect IAM activity associated with the S3 browser utility.

Strategy

This rule monitors AWS CloudTrail and detects IAM activity associated with the S3 browser utility. S3 browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. This tool has been used by the threat group GUI-vil in order to persist or escalate privileges in a victim’s AWS account. Details about this threat group can be seen in the Permiso blog post.

This rule monitors the following API calls:

  • CreateUser
  • CreateLoginProfile
  • CreateAccessKey
  • PutUserPolicy

Triage and response

  1. Determine if {{@userIdentity.arn}} should be attempting to use the S3 browser utility.
    • Investigate any other actions carried out by the potentially compromised identity {{@userIdentity.arn}} using the Cloud SIEM investigator.
  2. If the activity is determined to be malicious:
    • Rotate the affected credentials.
    • Remove any new IAM users, access keys, or LoginProfiles.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft