some organizations may have legitimate use cases for s3 browser or cyberduck, particularly in development, data migration, or backup scenarios. verify whether the iam principal, source network, and accessed buckets align with approved workflows. unexpected activity from these clients, especially accessing sensitive buckets, should be investigated.

t1567
aws
elastic

Techniques

T1567

Sample rules

AWS API Activity from Uncommon S3 Client by Rare User

source: elastic
technicques:
- T1567

Description

Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows.

Detection logic

event.dataset: "aws.cloudtrail"
    and user_agent.original: (*S3 Browser* or *Cyberduck*)
    and event.outcome: "success"