Techniques
Sample rules
AWS S3 Static Site JavaScript File Uploaded
- source: elastic
- technicques:
- T1565
Description
This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (static/js/) by an IAM
user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious
scripts into a static website frontend.
Detection logic
from logs-aws.cloudtrail* metadata _id, _version, _index
| where
// S3 object read/write activity
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action in ("GetObject", "PutObject")
// IAM users or assumed roles only
and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
// Requests for static site bundles
and aws.cloudtrail.request_parameters like "*static/js/*.js*"
// Exclude IaC and automation tools
and not (
user_agent.original like "*Terraform*"
or user_agent.original like "*Ansible*"
or user_agent.original like "*Pulumni*"
)
// Extract fields from request parameters
| dissect aws.cloudtrail.request_parameters
"%{{?bucket.name.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_name}, %{?host.key}=%{Esql_priv.aws_cloudtrail_request_parameters_host}, %{?bucket.object.location.key}=%{Esql.aws_cloudtrail_request_parameters_bucket_object_location}}"
// Extract file name portion from full object path
| dissect Esql.aws_cloudtrail_request_parameters_object_location "%{}static/js/%{Esql.aws_cloudtrail_request_parameters_object_key}"
// Match on JavaScript files
| where ends_with(Esql.aws_cloudtrail_request_parameters_object_key, ".js")
// Retain relevant ECS and dissected fields
| keep
aws.cloudtrail.user_identity.arn,
aws.cloudtrail.user_identity.access_key_id,
aws.cloudtrail.user_identity.type,
aws.cloudtrail.request_parameters,
Esql.aws_cloudtrail_request_parameters_bucket_name,
Esql.aws_cloudtrail_request_parameters_object_key,
user_agent.original,
source.ip,
event.action,
@timestamp