Detectionhightest

AWS IAM S3Browser User or AccessKey Creation

Detects S3 Browser utility creating IAM User or AccessKey.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

daniel.bohannonCreated Wed May 17db014773-d9d9-4792-91e5-133337c0ffeecloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'CreateUser'
            - 'CreateAccessKey'
        userAgent|contains: 'S3 Browser'
    condition: selection

False Positives

Valid usage of S3 Browser for IAM User and/or AccessKey creation

References

Resolving title…

permiso.io

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Sub-techniques

T1059.009 · Cloud API T1078.004 · Cloud Accounts

Rule Metadata

Rule ID

db014773-d9d9-4792-91e5-133337c0ffee

Status

test

Level

high

Type

Detection

Created

Wed May 17

Author

daniel.bohannon

Path

rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.defense-evasionattack.initial-accessattack.t1059.009attack.t1078.004

View on GitHub