https://feed.craftedsignal.io/tags/s3browser/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-26-s3browser-iam-policy/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-s3browser-iam-policy/An AWS IAM policy is created by the S3Browser utility with the default S3 bucket name placeholder, potentially indicating unauthorized access or misconfiguration.The S3Browser utility is being used to create Inline IAM policies within AWS. This activity is flagged as suspicious when the policy includes the default S3 bucket name placeholder value of <YOUR-BUCKET-NAME>. This could indicate that the user has not properly configured the policy or is unaware of the implications of using a generic placeholder, potentially granting unintended access to S3 resources. This behavior was observed being used by the threat actor Guivil. The use of S3Browser in this manner poses a risk of privilege escalation, persistence, and unauthorized access to sensitive data stored in S3 buckets.

Attack Chain

1. An attacker gains initial access to an AWS account, possibly through compromised credentials or misconfigured IAM roles (T1078.004).
2. The attacker utilizes the S3Browser utility to interact with AWS S3 buckets.
3. The attacker attempts to create an Inline IAM policy using S3Browser.
4. The attacker fails to replace the default bucket name placeholder <YOUR-BUCKET-NAME> with a specific bucket ARN.
5. The attacker saves the IAM policy with the default bucket name placeholder, leading to a broad or unintended scope of permissions.
6. The poorly configured policy is applied to a user, role, or group.
7. The attacker potentially escalates privileges or gains unauthorized access to S3 resources.
8. The attacker persists in the environment with the newly created or modified IAM policy.

Impact

Creation of an IAM policy with the default bucket name placeholder leaves S3 buckets open to potential unauthorized access. A successful attack could lead to data exfiltration, data modification, or denial of service. The scope of the impact depends on the specific permissions granted within the policy and the resources accessible through the affected IAM user, role, or group.

Recommendation

• Deploy the Sigma rule “AWS IAM S3Browser Templated S3 Bucket Policy Creation” to your SIEM and tune for your environment to detect this specific activity.
• Investigate any instances where PutUserPolicy events are associated with the S3Browser user agent (logsource: aws/cloudtrail).
• Review existing IAM policies for the presence of the default bucket name placeholder arn:aws:s3:::<YOUR-BUCKET-NAME>/* (logsource: aws/cloudtrail).

]]>highadvisoryawsiams3browsers3policycloudtrailhttps://feed.craftedsignal.io/briefs/2024-01-02-s3browser-iam-loginprofile/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-s3browser-iam-loginprofile/The S3 Browser utility is being used to enumerate IAM users lacking login profiles and subsequently create them, potentially for reconnaissance, persistence, and privilege escalation within AWS environments.The threat involves the use of the S3 Browser utility, a Windows application, to interact with Amazon Web Services (AWS) Identity and Access Management (IAM). Attackers are leveraging S3 Browser to perform reconnaissance, specifically targeting IAM users that do not have a login profile configured. Upon identifying such users, the attacker proceeds to create a login profile for them. This tactic may be indicative of an attempt to gain unauthorized access or maintain persistence within the AWS environment. The activity is detectable via AWS CloudTrail logs and was first publicly reported in May 2023 in connection with the threat actor GUIVIL.

Attack Chain

1. Attacker gains initial access to a system with AWS CLI tools installed or uses a compromised IAM user with sufficient permissions.
2. The attacker configures S3 Browser with valid AWS credentials, enabling interaction with the AWS environment.
3. S3 Browser initiates a GetLoginProfile API call in AWS CloudTrail, to enumerate IAM users and identify those without existing login profiles.
4. S3 Browser, upon finding an IAM user without a login profile, initiates a CreateLoginProfile API call.
5. The attacker sets a password for the newly created login profile, gaining console access to the targeted IAM user account.
6. The attacker logs into the AWS console using the newly created credentials.
7. The attacker leverages the IAM user’s permissions to perform further reconnaissance, lateral movement, or data exfiltration within the AWS environment.
8. The attacker establishes persistence by maintaining access through the created login profile, even if other access methods are revoked.

Impact

Successful exploitation allows attackers to gain unauthorized console access to previously unprotected IAM user accounts. This can lead to privilege escalation, data breaches, and disruption of cloud services. The lack of multi-factor authentication on newly created login profiles increases the risk of account compromise. The impact can range from reconnaissance to full-scale control of the AWS environment, depending on the permissions associated with the compromised IAM users.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect GetLoginProfile and CreateLoginProfile events originating from the S3 Browser user agent in AWS CloudTrail logs.
• Investigate any instances of IAM LoginProfile creation originating from unusual user agents or IP addresses.
• Implement multi-factor authentication (MFA) for all IAM users, including those with console access to mitigate the impact of compromised credentials.
• Review IAM policies to ensure least privilege and restrict the ability to create or modify LoginProfiles to authorized personnel only.

]]>highadvisoryawscloudiams3browserprivilege-escalationpersistence