Merge pull request SigmaHQ#4294 from @danielbohannon - Permiso p0-LUC…

…R-1 (aka GUI-vil) new: AWS IAM S3Browser Templated S3 Bucket Policy Creation --------- Co-authored-by: Nasreddine Bencherchali <[email protected]> Co-authored-by: phantinuss <[email protected]>
phantinuss · Aug 24, 2023 · 3ce631a · 3ce631a
1 parent 291ca18
commit 3ce631a
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/rules/cloud/aws/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml b/rules/cloud/aws/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml
@@ -0,0 +1,30 @@
+title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
+id: db014773-7375-4f4e-b83b-133337c0ffee
+status: experimental
+description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
+references:
+    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
+author: [email protected] (@danielhbohannon)
+date: 2023/05/17
+modified: 2023/05/17
+tags:
+    - attack.execution
+    - attack.t1059.009
+    - attack.persistence
+    - attack.t1078.004
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: iam.amazonaws.com
+        eventName: PutUserPolicy
+        userAgent|contains: 'S3 Browser'
+        requestParameters|contains|all:
+            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
+            - '"s3:GetObject"'
+            - '"Allow"'
+    condition: selection
+falsepositives:
+    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
+level: high