sigmahighHunting

AWS IAM S3Browser User or AccessKey Creation

Detects S3 Browser utility creating IAM User or AccessKey.

MITRE ATT&CK

privilege-escalationexecutionpersistencedefense-evasioninitial-access

Detection Query

selection:
  eventSource: iam.amazonaws.com
  eventName:
    - CreateUser
    - CreateAccessKey
  userAgent|contains: S3 Browser
condition: selection

Author

daniel.bohannon@permiso.io (@danielhbohannon)

Created

2023-05-17

Data Sources

awscloudtrail

Platforms

aws

References

https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor

Tags

attack.privilege-escalationattack.executionattack.persistenceattack.defense-evasionattack.initial-accessattack.t1059.009attack.t1078.004

Raw Content

title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.defense-evasion
    - attack.initial-access
    - attack.t1059.009
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'CreateUser'
            - 'CreateAccessKey'
        userAgent|contains: 'S3 Browser'
    condition: selection
falsepositives:
    - Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high