AWS S3 Data Exfiltration via Uncommon Client Applications
This rule detects AWS API activity originating from uncommon desktop client applications based on the user agent string, specifically S3 Browser and Cyberduck, which provide bulk upload/download capabilities and have been observed in use by threat actors for data exfiltration, warranting validation against authorized data transfer workflows.
This detection identifies the use of uncommon S3 client applications, specifically S3 Browser and Cyberduck, to interact with AWS S3. While legitimate tools, these applications are rarely used in enterprise environments for authorized data transfer and have been observed being used by threat actors for data exfiltration. The detection focuses on the first-time usage of these clients by a user within an AWS account. This activity can indicate unauthorized access to sensitive data and potential exfiltration, especially when coupled with unusual source IP addresses or access to sensitive buckets. The rule logic looks for AWS CloudTrail logs with user agent strings matching S3 Browser or Cyberduck where the event outcome was successful.
Attack Chain
- An attacker gains unauthorized access to AWS credentials, potentially through credential theft or compromised EC2 instances.
- The attacker configures S3 Browser or Cyberduck on their local system or a compromised host.
- The attacker uses the stolen AWS credentials to configure the S3 client application (S3 Browser or Cyberduck).
- The attacker uses the S3 client to enumerate S3 buckets and identify sensitive data using
ListBucketoperations. - The attacker downloads sensitive data from targeted S3 buckets using
GetObjectoperations. - The attacker stages the data locally or on a compromised system.
- The attacker uploads the stolen data to an external location or cloud storage using
PutObjectoperations, potentially in another AWS account. - The attacker attempts to cover their tracks by deleting CloudTrail logs or other evidence, if possible.
Impact
A successful attack can result in the exfiltration of sensitive data from AWS S3 buckets. The impact includes potential data breaches, financial loss, reputational damage, and regulatory fines. The number of affected users and the value of the compromised data will depend on the scope of the attacker's access and the sensitivity of the data stored in the targeted S3 buckets.
Recommendation
- Deploy the Sigma rule
AWS API Activity from Uncommon S3 Clientto your SIEM and tune it for your environment, paying attention to false positives from authorized data migrations (see rule below). - Review historical CloudTrail logs for past usage of S3 Browser or Cyberduck to identify any prior unauthorized access.
- Investigate any identified instances of S3 Browser or Cyberduck usage, focusing on the IAM principal, source network, and accessed buckets.
- Implement preventive controls such as S3 bucket policies restricting access by user agent or requiring VPC endpoints.
- Monitor for
CreateAccessKeyevents to identify potentially compromised AWS credentials. - Enable MFA for all AWS users, especially those with access to sensitive S3 buckets.
Detection coverage 3
AWS API Activity from Uncommon S3 Client
mediumDetects AWS API activity originating from uncommon S3 client applications (S3 Browser, Cyberduck) based on the user agent string.
AWS S3 ListBucket from Uncommon Client
lowDetects AWS S3 ListBucket requests originating from uncommon clients S3 Browser or Cyberduck
AWS S3 PutObject from Uncommon Client
mediumDetects AWS S3 PutObject requests originating from uncommon clients S3 Browser or Cyberduck
Detection queries are available on the platform. Get full rules →