AWS API Activity from Uncommon S3 Client by Rare User

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS API Activity from Uncommon S3 Client by Rare User

Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows.

Rule type: new_terms

Rule indices:

logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS CloudTrail
Data Source: AWS S3
Tactic: Exfiltration
Use Case: Threat Detection
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and Analysis

Investigating AWS API Activity from Uncommon S3 Client by Rare User

S3 Browser and Cyberduck are graphical clients for Amazon S3 that allow users to browse, upload, download, and manage S3 objects. While legitimate tools, they are uncommonly used in enterprise environments where organizations typically standardize on AWS CLI, SDKs, or console access. The presence of these tools may indicate unauthorized data access or exfiltration activity.

This is a New Terms rule that identifies the first time a specific user within an account makes API calls using S3 Browser or Cyberduck user agent strings. Threat actors have been observed using these tools for their intuitive interface and bulk data transfer capabilities during post-compromise data theft operations.

Possible investigation steps

Identify the actor
Review aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id to determine which IAM principal was used.
Check whether this principal normally accesses S3 and whether usage of these desktop clients is expected or authorized.
Review accessed resources
Examine aws.cloudtrail.resources.arn to identify which S3 buckets and objects were accessed.
Determine whether the accessed data is sensitive, confidential, or subject to data protection policies.
Look for patterns indicating bulk downloads or systematic enumeration of bucket contents.
Analyze the actions performed
Review event.action to understand what operations were performed (e.g., GetObject, ListBucket, PutObject).
High volumes of GetObject calls may indicate data exfiltration.
PutObject calls to external buckets could indicate data staging for exfiltration.
Inspect source network context
Review source.ip and source.geo fields to determine the origin of the request.
Check whether the IP belongs to corporate infrastructure, VPN, or an unexpected external location.
External IPs combined with these desktop client tools are high-risk indicators.
Correlate with surrounding activity
Search for additional CloudTrail events from the same access key or session.
Look for preceding credential theft indicators such as GetSecretValue, CreateAccessKey, or console logins.
Check for cross-account transfers or CreateBucket calls in external accounts.

False positive analysis

Authorized data migration or backup activities may use these tools. Confirm with data engineering or IT teams.
Developer testing in non-production environments may occasionally involve these clients. Validate the environment and data sensitivity.
Third-party integrations using Cyberduck libraries may generate this user agent. Verify the automation context.

Response and remediation

If unauthorized, immediately revoke or rotate the affected access keys and invalidate active sessions.
Assess data exposure by reviewing which objects were accessed and determining if sensitive data was compromised.
Notify security operations and initiate incident response procedures if exfiltration is confirmed.
Implement preventive controls such as S3 bucket policies restricting access by user agent or requiring VPC endpoints.

Additional information

Rule query

edit

event.dataset: "aws.cloudtrail"
    and user_agent.original: (*S3 Browser* or *Cyberduck*)
    and event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Web Service
- ID: T1567
- Reference URL: https://attack.mitre.org/techniques/T1567/
Sub-technique:
- Name: Exfiltration to Cloud Storage
- ID: T1567.002
- Reference URL: https://attack.mitre.org/techniques/T1567/002/

« AWS CloudShell Environment Created Azure Service Principal Sign-In Followed by Arc Cluster Credential Access »