AWS IAM activity by S3 browser utility

Goal

Detect IAM activity associated with the S3 browser utility.

Strategy

This rule monitors AWS CloudTrail and detects IAM activity associated with the S3 browser utility. S3 browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. This tool has been used by the threat group GUI-vil in order to persist or escalate privileges in a victim’s AWS account. Details about this threat group can be seen in the Permiso blog post.

This rule monitors the following API calls:

  • CreateUser
  • CreateLoginProfile
  • CreateAccessKey
  • PutUserPolicy

Triage and response

  1. Determine if {{@userIdentity.arn}} should be attempting to use the S3 browser utility.
    • Investigate any other actions carried out by the potentially compromised identity {{@userIdentity.arn}} using the Cloud SIEM investigator.
  2. If the activity is determined to be malicious:
    • Rotate the affected credentials.
    • Remove any new IAM users, access keys, or LoginProfiles.
    • Begin your organization’s incident response process and investigate.