AWS IAM activity by S3 browser utility

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect IAM activity associated with the S3 browser utility.

Strategy

This rule monitors AWS CloudTrail and detects IAM activity associated with the S3 browser utility. S3 browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. This tool has been used by the threat group GUI-vil in order to persist or escalate privileges in a victim’s AWS account. Details about this threat group can be seen in the Permiso blog post.

This rule monitors the following API calls:

  • CreateUser
  • CreateLoginProfile
  • CreateAccessKey
  • PutUserPolicy

Triage and response

  1. Determine if {{@userIdentity.arn}} should be attempting to use the S3 browser utility.
    • Investigate any other actions carried out by the potentially compromised identity {{@userIdentity.arn}} using the Cloud SIEM investigator.
  2. If the activity is determined to be malicious:
    • Rotate the affected credentials.
    • Remove any new IAM users, access keys, or LoginProfiles.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: may/unit-testing