Detectionhightest
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selectionFalse Positives
Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
References
MITRE ATT&CK
Rule Metadata
Rule ID
db014773-b1d3-46bd-ba26-133337c0ffee
Status
test
Level
high
Type
Detection
Created
Wed May 17
Author
Path
rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml
Raw Tags
attack.executionattack.persistenceattack.defense-evasionattack.initial-accessattack.privilege-escalationattack.t1059.009attack.t1078.004