LoFP / valid usage of s3 browser for iam user and/or accesskey creation

Techniques

• t1059
• t1059.009
• t1078
• t1078.004

Sample rules

AWS IAM S3Browser User or AccessKey Creation

• source: sigma
• technicques:
  • t1059
  • t1059.009
  • t1078
  • t1078.004

Description

Detects S3 Browser utility creating IAM User or AccessKey.

Detection logic

condition: selection
selection:
  eventName:
  - CreateUser
  - CreateAccessKey
  eventSource: iam.amazonaws.com
  userAgent|contains: S3 Browser