Techniques
Sample rules
AWS S3 Static Site JavaScript File Uploaded
- source: elastic
- technicques:
- T1565
Description
This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (static/js/) by an IAM
user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a
static website frontend.
Detection logic
from logs-aws.cloudtrail* metadata _id, _version, _index
| where
// filter on CloudTrail logs for S3 PutObject actions
event.dataset == "aws.cloudtrail"
and event.provider == "s3.amazonaws.com"
and event.action in ("GetObject","PutObject")
// filter for IAM users, not federated identities
and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
// filter for S3 static site bucket paths from webpack or similar
and aws.cloudtrail.request_parameters LIKE "*static/js/*.js*"
// exclude common IaC tools and automation scripts
and not (
user_agent.original LIKE "*Terraform*"
or user_agent.original LIKE "*Ansible*"
or user_agent.original LIKE "*Pulumni*"
)
// extract bucket and object details from request parameters
| dissect aws.cloudtrail.request_parameters "%{{?bucket.name.key}=%{bucket.name}, %{?host.key}=%{bucket.host}, %{?bucket.object.location.key}=%{bucket.object.location}}"
// filter for specific bucket and object structure
| dissect bucket.object.location "%{}static/js/%{bucket.object}"
// filter for JavaScript files
| where ENDS_WITH(bucket.object, ".js")
| keep
aws.cloudtrail.user_identity.arn,
aws.cloudtrail.user_identity.access_key_id,
aws.cloudtrail.user_identity.type,
aws.cloudtrail.request_parameters,
bucket.name,
bucket.object,
user_agent.original,
source.ip,
event.action,
@timestamp