AWS IAM activity by S3 browser utility

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect IAM activity associated with the S3 browser utility.

Strategy

This rule monitors AWS CloudTrail and detects IAM activity associated with the S3 browser utility. S3 browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. This tool has been used by the threat group GUI-vil in order to persist or escalate privileges in a victim’s AWS account. Details about this threat group can be seen in the Permiso blog post.

This rule monitors the following API calls:

  • CreateUser
  • CreateLoginProfile
  • CreateAccessKey
  • PutUserPolicy

Triage and response

  1. Determine if {{@userIdentity.arn}} should be attempting to use the S3 browser utility.
    • Investigate any other actions carried out by the potentially compromised identity {{@userIdentity.arn}} using the Cloud SIEM investigator.
  2. If the activity is determined to be malicious:
    • Rotate the affected credentials.
    • Remove any new IAM users, access keys, or LoginProfiles.
    • Begin your organization’s incident response process and investigate.