Skip to content
Threat Feed
low advisory

AWS S3 Data Exfiltration via Uncommon Clients

Detection of AWS API activity from rare S3 client applications (S3 Browser, Cyberduck), potentially indicating unauthorized data exfiltration by threat actors.

This threat brief focuses on the detection of unauthorized data exfiltration from AWS S3 buckets using uncommon client applications, specifically S3 Browser and Cyberduck. These tools, while legitimate, offer graphical interfaces and bulk transfer capabilities, making them attractive to malicious actors for data theft. The Elastic detection rule "AWS API Activity from Uncommon S3 Client by Rare User" published on 2026-03-18T22:07:15Z, aims to identify the initial use of these clients within an AWS account. The rule leverages CloudTrail logs to identify S3 API calls originating from user agents associated with S3 Browser and Cyberduck, providing a critical alert for security teams to investigate potential data breaches. This activity, although potentially legitimate in specific contexts (data migration, development), warrants close scrutiny to prevent data compromise.

Attack Chain

  1. Compromise IAM Credentials: An attacker gains access to valid AWS IAM credentials through phishing, credential stuffing, or exploiting vulnerabilities in EC2 instances or other AWS services.
  2. Initial Enumeration: The attacker uses the compromised credentials to enumerate S3 buckets within the AWS account using tools like the AWS CLI or console.
  3. S3 Client Installation: The attacker downloads and installs either S3 Browser or Cyberduck on a compromised host or attacker-controlled system.
  4. Client Configuration: The attacker configures the S3 client with the compromised IAM credentials, granting access to the AWS account and S3 resources.
  5. Data Selection: Using the client's graphical interface, the attacker identifies and selects sensitive data within the S3 buckets for exfiltration.
  6. Bulk Download: The attacker initiates a bulk download of the selected data to a local directory or external storage. The GetObject action will be logged in CloudTrail.
  7. Data Staging (Optional): The attacker may upload exfiltrated data to a cloud storage service under their control, or an S3 bucket in a separate, attacker-controlled account. The PutObject action to an external bucket will be logged in CloudTrail.
  8. Exfiltration Complete: The sensitive data is successfully exfiltrated from the AWS environment.

Impact

Successful exploitation can lead to significant data breaches, exposing sensitive information such as customer data, financial records, intellectual property, or trade secrets. The number of affected customers or the financial impact can vary significantly depending on the amount and nature of the exfiltrated data. The sectors most at risk include finance, healthcare, technology, and any organization storing sensitive data in AWS S3. The reputational damage and potential legal consequences following such breaches can be substantial.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect AWS API activity originating from S3 Browser or Cyberduck based on the user_agent.original field in CloudTrail logs.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the IAM principal (aws.cloudtrail.user_identity.arn), accessed S3 resources (aws.cloudtrail.resources.arn), and source IP (source.ip) to determine if the activity is authorized.
  • Implement preventive controls such as S3 bucket policies restricting access by user agent or requiring VPC endpoints, as mentioned in the overview.
  • Monitor CloudTrail logs for unusual API calls like GetSecretValue, CreateAccessKey, or CreateBucket in external accounts, which could indicate preceding credential theft or lateral movement.

Detection coverage 2

Detect AWS S3 Activity from S3 Browser User Agent

low

Detects AWS API calls from S3 Browser based on the user agent string in CloudTrail logs.

sigma tactics: exfiltration techniques: T1567.002 sources: cloudtrail, aws

Detect AWS S3 Activity from Cyberduck User Agent

low

Detects AWS API calls from Cyberduck based on the user agent string in CloudTrail logs.

sigma tactics: exfiltration techniques: T1567.002 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →