Latest research, product updates and best practices on staying secure in the cloud | Permiso

Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Written by Ian Ahl | May 22, 2023 7:58:00 AM

Summary (the TL;DR)

Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as p0-LUCR-1, aka GUI-vil (Goo-ee-vil).

GUI-vil is a financially motivated threat group sourcing from Indonesia whose primary objective is performing unauthorized cryptocurrency mining activities. Leveraging compromised credentials, the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations. Permiso first observed this threat actor in November of 2021, and most recently observed their activity in April of 2023.

The group displays a preference for Graphical User Interface (GUI) tools, specifically an older version of S3 Browser (version 9.5.5, released January of 2021) for their initial operations. Upon gaining AWS Management Console access, they conduct their operations directly through the web browser.

The source IP addresses associated with the attacker's activities are linked to two (2) specific Indonesian Autonomous System Numbers (ASNs) - PT. Telekomunikasi Selula and PT Telekomunikasi Indonesia.

In their typical attack lifecycle, GUI-vil initially performs reconnaissance by monitoring public sources for exposed AWS keys (GitHub, Pastebin) and scanning for vulnerable GitLab instances. Initial compromises are predominantly achieved via exploiting known vulnerabilities such as CVE-2021-22205, or via using publicly exposed credentials.

GUI-vil, unlike many groups focused on crypto mining, apply a personal touch when establishing a foothold in an environment. They attempt to masquerade as legitimate users by creating usernames that match the victim’s naming standard, or in some cases taking over existing users by creating login profiles for a user where none existed (takeover activity appearing as iam:GetLoginProfile failure followed by successful iam:CreateLoginProfile).

The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities. In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances.


Attacker Attributes

Highlights:

  • Unlike many commodity threat actors in the cloud that rely on automation, GUI-vil are engaged attackers at the keyboard, ready to adapt to whatever situation they are in.

  • They are allergic to CLI utilities, using S3 Browser and AWS Management Console via web browsers as their tooling.

  • They apply a personal touch. They model the name of their IAM Users, and sometimes their policies, keypairs, etc., on what they find present in the environment. Often time this helps them blend in.

  • They fight hard to maintain access in an environment when defenders find them. They don’t just tuck their tail and leave.

  • They often make mistakes by leaving S3 Browser defaults.

    • <YOUR-BUCKET-NAME>” being a favorite, but also default policy and IAM user names

{  
"userName": "FileBackupAccount",  
"policyName": "dq",
"policyDocument": "{\\r\\n \\"Statement\\": [\\r\\n {\\r\\n \\"Effect\\": \\"Allow\\",\\r\\n \\"Action\\": \\"s3:GetObject\\",\\r\\n \\"Resource\\": \\"arn:aws:s3:::<YOUR-BUCKET-NAME>/*\\",\\r\\n \\"Condition\\": {}\\r\\n }\\r\\n ]\\r\\n}"
}

Example request parameters from iam:PutUserPolicy event in CloudTrail logs

Mission

GUI-vil is a financially motivated threat actor, that leverages compromised credentials to spin up EC2 instances for use in crypto mining.

Tooling

GUI-vil leverages mostly GUI tools in their attacks. Initial access, reconnaissance, and persistence are all completed using the GUI utility S3 Browser. We have observed the threat actors continued use of the same version of S3 Browser (version 9.5.5, released January of 2021) to carry out their attacks since November 13, 2021. Once GUI-vil is able to create or take ownership of an IAM user with AWS Management Console access, they perform the rest of their activities directly through the web browser and AWS Management Console.

Hours of operations (UTC/GMT)

Infrastructure

All source addresses the attacker has originated from belong to two ASNs in Indonesia

  • PT. Telekomunikasi Selula

  • PT Telekomunikasi Indonesia

Victimology

GUI-vil is an equal opportunity attacker. Rather than targeting specific organizations, they are opportunistic and will attempt to attack any organization for which they can discover compromised credentials.

Attacker Lifecycle

Initial Recon

In order to support their mechanisms for initial access, GUI-vil performs two (2) main forms of reconnaissance:

  • Monitoring common public sources for exposed AWS access keys such as GitHub and Pastebin.

  • Scanning for vulnerable versions of software repositories such as GitLab.

Initial Compromise & Establishing Foothold

We have observed this threat actor leverage two (2) methods of initial compromise:

  • Leverage CVE-2021-22205 to gain Remote Code Execution (RCE) on vulnerable GitLab instances. Once GitLab is exploited the threat actor reviews repositories for AWS access keys.

  • In most instances this threat actor is able to find publicly exposed credentials and directly leverage them.

The discovered access keys become their foothold into the AWS environment. They validate the access key and secret are active credentials by entering them into the Windows GUI utility S3 Browser, which will first execute the ListBuckets command against the S3 service.

{  
"eventVersion": "1.08",  
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/external_audit",
"accountId": "redacted",
"accessKeyId": "AKIA******",
"userName": "external_audit"
}, "eventTime": "2023-04-18T14:47:39.0000000Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListBuckets",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "[S3 Browser 9.5.5 https://s3browser.com]",
"requestParameters": {
"Host": "s3.us-east-1.amazonaws.com"
}, "responseElements": null,
"requestID": "T1ACJXN3EJQ4T58X",
"eventID": "af6814ab-10e1-4c8a-88b6-384874592519",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "redacted",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "s3.us-east-1.amazonaws.com"
}, "additionalEventData": {
"SignatureVersion": "SigV4",
"CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"bytesTransferredIn": 0,
"AuthenticationMethod": "AuthHeader",
"x-amz-id-2": "2ZRMAF9dvfjiLRZq1UoaE6tspOgoHk4X/Vtvjb8orWdQPGgJQiOuXhn13eOL3s4+BY/+Fuf7ZxE=",
"bytesTransferredOut": 389
}

}

Escalate Privileges

Given that cloud credentials are often grossly over-privileged, this threat actor does not often need to elevate their privileges. In one attack by GUI-vil though, the credentials the threat actor started with had read-only permissions across all services. The attacker used these credentials to review data in all available S3 buckets, and was able to find credentials with full administrator privileges in a Terraform tfstate file.

Internal Recon

GUI-vil has two (2) main methods of performing internal reconnaissance:

  • Review of accessible S3 buckets

  • Exploring what services are accessible and utilized by the victim organization via the AWS Management Console.

Services we have observed them exploring (in order of descending prevalence) include:

ec2.amazonaws.com
health.amazonaws.com
iam.amazonaws.com
organizations.amazonaws.com
elasticloadbalancing.amazonaws.com
autoscaling.amazonaws.com
monitoring.amazonaws.com
cloudfront.amazonaws.com
billingconsole.amazonaws.com
s3.amazonaws.com
compute-optimizer.amazonaws.com
ce.amazonaws.com
dynamodb.amazonaws.com
config.amazonaws.com
ram.amazonaws.com
ssm.amazonaws.com
kms.amazonaws.com
securityhub.amazonaws.com
servicecatalog-appregistry.amazonaws.com
sts.amazonaws.com
cloudtrail.amazonaws.com
trustedadvisor.amazonaws.com
logs.amazonaws.com
dax.amazonaws.com
sso.amazonaws.com
support.amazonaws.com
account.amazonaws.com
elasticfilesystem.amazonaws.com
resource-groups.amazonaws.com
ds.amazonaws.com
tagging.amazonaws.com
cloudhsm.amazonaws.com
access-analyzer.amazonaws.com
resource-explorer-2.amazonaws.com

Additionally, we observed GUI-vil monitoring CloudTrail logs for changes that the victims’ organizations were making when trying to evict GUI-vil from their environments. This allowed GUI-vil to adapt their persistence to bypass restrictions the victim organization was putting in place.

{  
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/andy",
"accountId": "redacted",
"accessKeyId": "ASIA****",
"userName": "andy",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-04-19T01:16:27.0000000Z",
"mfaAuthenticated": "false"
} } }, "eventTime": "2023-04-19T01:21:14.0000000Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "LookupEvents",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "AWS Internal",
"requestParameters": {
"maxResults": 50,
"lookupAttributes": [
{ "attributeKey": "ReadOnly",
"attributeValue": "false"
} ] }

Maintain Presence (IAM)

In order to maintain a presence in the victim organization, GUI-vil has leveraged several different mechanisms. Based on observed activity, they exclusively utilize S3 Browser to make creations and modifications to the IAM service.

  • GUI-vil will often create new IAM users to maintain ensure they can persist in an environment in case their original compromised credentials are discovered. When creating IAM users GUI-vil will often attempt to conform to the naming standards of existing IAM users. For example, in one environment they created a user named

    sec_audit

    which they modelled off of other audit users in the organization. They do often move too fast for their own good, sometimes forgetting to take out the default name that S3 Browser supplies when creating a new user.

{  
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/terraform",
"accountId": "redacted",
"userName": "terraform",
"accessKeyId": "AKIA*****"
}, "eventTime": "2023-04-18T15:05:27.0000000Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "S3 Browser 9.5.5 <https://s3browser.com>",
"requestParameters": {
"userName": "sec_audit",
"path": "/"
}, "responseElements": {
"user": {
"arn": "arn:aws:iam::redacted:user/sec_audit",
"userName": "sec_audit",
"userId": "redacted",
"createDate": "Apr 18, 2023 3:05:27 PM",
"path": "/"
} }
  • GUI-vil will also create access keys for the new identities they are creating so they can continue usage of S3 Browser with these new users.

  • GUI-vil will create login profiles, to enable access to AWS Management Console. We have observed GUI-vil apply this tactic to avoid the noise of creating a new user. They look for identities that do not have login profiles and, once found, create a login profile. This allows the attacker to inherit the permissions of that identity and stay under the radar of security teams that do not monitor new login profiles being created.

{  
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/terraform",
"accountId": "redacted",
"accessKeyId": "AKIA****",
"userName": "terraform"
}, "eventTime": "2023-04-18T15:27:22.0000000Z",
"eventSource": "iam.amazonaws.com",
"eventName": "GetLoginProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "S3 Browser 9.5.5 <https://s3browser.com>",
"requestParameters": {
"userName": "andy"
}, "responseElements": null,
"requestID": "33147b1e-f106-440e-b63a-f4fca8da0170",
"eventID": "7d7ad4e4-3f50-42d1-af4f-6d7db737ecdb",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "redacted",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}, "errorCode": "NoSuchEntityException",
"errorMessage": "Login Profile for User andy cannot be found."
} { "eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/terraform",
"accountId": "redacted",
"accessKeyId": "AKIA****",
"userName": "terraform"
}, "eventTime": "2023-04-18T15:27:29.0000000Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateLoginProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "S3 Browser 9.5.5 <https://s3browser.com>",
"requestParameters": {
"userName": "andy",
"passwordResetRequired": false
}, "responseElements": {
"loginProfile": {
"userName": "andy",
"createDate": "Apr 18, 2023 3:27:29 PM",
"passwordResetRequired": false
} }, "requestID": "281e395e-3614-44f6-8531-5bcdca3a5507",
"eventID": "4ced3dd4-1ab7-4e23-b659-7ca7d88c5d6e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "redacted",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}

iam:GetLoginProfile with error showing that a login profile does not currently exist

{  
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "redacted",
"arn": "arn:aws:iam::redacted:user/terraform",
"accountId": "redacted",
"accessKeyId": "AKIA****",
"userName": "terraform"
}, "eventTime": "2023-04-18T15:27:29.0000000Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateLoginProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "S3 Browser 9.5.5 https://s3browser.com",
"requestParameters": {
"userName": "andy",
"passwordResetRequired": false
}, "responseElements": {
"loginProfile": {
"userName": "andy",
"createDate": "Apr 18, 2023 3:27:29 PM",
"passwordResetRequired": false
} }, "requestID": "281e395e-3614-44f6-8531-5bcdca3a5507",
"eventID": "4ced3dd4-1ab7-4e23-b659-7ca7d88c5d6e",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "redacted",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
} }

iam:CreateLoginProfile for the user that did not have a login profile already defined

When GUI-vil creates IAM users, they also directly attach an inline policy via iam:PutUserPolicy to grant their user full privileges.

{  
"userName": "backup",
"policyName": "backupuser",
"policyDocument": "{\\r\\n \\"Statement\\": [\\r\\n {\\r\\n \\"Effect\\": \\"Allow\\",\\r\\n \\"Action\\": \\"*\\",\\r\\n \\"Resource\\": \\"*\\",\\r\\n \\"Condition\\": {}\\r\\n }\\r\\n ]\\r\\n}"
}

iam:PutUserPolicy to add inline policy granting full privileges to newly created user


Maintain Presence (EC2)

While they can maintain presence on the infrastructure level via the users and access keys they have created or taken over, the attacker can also maintain persistence to the environment via EC2. Simply by being able to connect to the EC2 instance they can assume the credentials of the EC2 instance. Often times the attacker will execute ec2:CreateKeyPair, enabling them to connect to the EC2 instance directly via SSH which they ensure is open to the internet on any EC2 instances they create.

"data": {   
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA****:andy",
"arn": "arn:aws:sts::redacted:assumed-role/AdminUser/andy",
"accountId": "redacted",
"accessKeyId": "ASIA*****",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA****",
"arn": "arn:aws:iam::redacted:role/AdminUser",
"accountId": "redacted",
"userName": "AdminUser"
}, "webIdFederationData": {},
"attributes": {
"creationDate": "2023-04-18T15:30:24.0000000Z",
"mfaAuthenticated": "false"
} } }, "eventTime": "2023-04-18T15:33:12.0000000Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateKeyPair",
"awsRegion": "us-east-1",
"sourceIPAddress": "36.85.110.142",
"userAgent": "AWS Internal",
"requestParameters": {
"keyName": "su32",
"keyType": "rsa",
"keyFormat": "ppk"
}, "responseElements": {
"requestId": "21e1134f-109e-4b4a-bea8-cc651b9e0db8",
"keyName": "su32",
"keyFingerprint": "e9:86:03:1e:81:4e:65:fb:78:41:f0:32:e0:29:ff:6e:9b:0e:fe:f0",
"keyPairId": "key-0123456789abcdef0",
"keyMaterial": "<sensitiveDataRemoved>"
}, "requestID": "21e1134f-109e-4b4a-bea8-cc651b9e0db8",
"eventID": "9338ea0b-b929-4a76-b024-2b3ea36cd484",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "redacted",
"eventCategory": "Management",
"sessionCredentialFromConsole": "true"
}

ec2:CreateKeyPair to create public and private key pair for remote access

{  
"groupId": "sg-0123456789abcdef0",
"ipPermissions": {
"items": [
{ "ipRanges": {
"items": [
{ "cidrIp": "0.0.0.0/0"
} ] }, "prefixListIds": {},
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipProtocol": "tcp",
"ipv6Ranges": {}
} ] }

ec2:AuthorizeSecurityGroupIngress to add inbound (ingress) rule for port 22 to specified security group


Complete Mission

GUI-vil is financially motivated. They create EC2 instances in victim AWS organizations that they then use for crypto mining. Often times as they encounter resource limitations set by the victim organizations they will switch to other regions and attempt again.

All EC2 instances they created have had these attributes:

  • Size xlarge and bigger (c4.4xlarge, p3.16xlarge, p3.2xlarge, p3.8xlarge)

  • TCP/22 open to 0.0.0.0

  • IPv4 Enabled, IPv6 Disabled

  • Detailed CloudWatch monitoring disabled

  • Xen hypervisor

Once an EC2 instance is created they connect to it via SSH, install required packages, then install and launch XMRIG:

  • apt-get update

  • apt-get install git build-essential cmake libuv1-dev libssl-dev libhwloc-dev -y

  • /home/ubuntu/xmrig

Indicators

Atomic Indicators

Indicator

Type

Notes

182.1.229.252

IPv4

PT. Telekomunikasi Selular

114.125.247.101

IPv4

PT. Telekomunikasi Selula

114.125.245.53

IPv4

PT. Telekomunikasi Selula

114.125.247.101

IPv4

PT. Telekomunikasi Selula

114.125.232.189

IPv4

PT. Telekomunikasi Selula

114.125.228.81

IPv4

PT. Telekomunikasi Selula

114.125.229.197

IPv4

PT. Telekomunikasi Selula

114.125.246.235

IPv4

PT. Telekomunikasi Selula

114.125.246.43

IPv4

PT. Telekomunikasi Selula

36.85.110.142

IPv4

PT Telekomunikasi Indonesia

S3 Browser 9.5.5

https://s3browser.com/

UA

 

[S3 Browser 9.5.5

https://s3browser.com/

]

UA

 

su32

SSH Key Name

 

new-user-<8 alphanumeric characters>

IAM User

default naming standard for creating a user with S3 Browser

sec_audit

IAM User

 

sdgs

IAM Policy

 

ter

IAM Policy

 

backup

IAM User

 

dq

IAM Policy

 

Detections

Permiso CDR Rules

Permiso clients are protected from these attackers by the following detections:

Permiso Detections

P0_AWS_S3_BROWSER_USERAGENT_1

P0_MULTI_NEFARIOUS_USERAGENT_1

P0_AWS_SUSPICIOUS_ACCOUNT_NAME_CREATED_1

P0_GENERAL_SUSPICIOUS_ACCOUNT_NAME_CREATED_1

P0_COMMON_USER_ACTIVITY_NO_MFA_1

P0_AWS_IAM_INLINE_POLICY_ALLOW_ALL_1

P0_AWS_IAM_INLINE_POLICY_SHORT_NAME_1

P0_AWS_IAM_INLINE_POLICY_PASSROLE_1

P0_AWS_IAM_INLINE_POLICY_TEMPLATE_LANGUAGE_1

P0_AWS_EC2_MULTI_REGION_INSTANCE_CREATIONS_1

P0_AWS_HUMAN_CREATED_LARGE_EC2_1

P0_AWS_EC2_STARTED_CIDR_FULL_OPEN_PORT_22_1

For folks not on the Permiso platform, here are some basic sigma rules that can be used to identify GUI-vil:

S3 Browser - IAM Policy w/Templated Language

title: AWS IAM S3Browser Templated S3 Bucket Policy Creation id: db014773-7375-4f4e-b83b-133337c0ffee status: experimental
description: Detects S3 Browser utility creating Inline IAM Policy containing default S3 bucket name placeholder value of <YOUR-BUCKET-NAME>.
references:
 - <https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor> author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023/05/17 modified: 2023/05/17 tags:
    - attack.execution
 - attack.t1059.009     - attack.persistence
 - attack.t1078.004 logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: iam.amazonaws.com
        eventName: PutUserPolicy
    filter_tooling:
        userAgent|contains: 'S3 Browser'
    filter_policy_resource:
 requestParameters|contains: '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'     filter_policy_action:
 requestParameters|contains: '"s3:GetObject"'     filter_policy_effect:
 requestParameters|contains: '"Allow"'     condition: selection_source and filter_tooling and filter_policy_resource and filter_policy_action and filter_policy_effect
falsepositives:
    - Valid usage of S3 Browser with accidental creation of default Inline IAM Policy without changing default S3 bucket name placeholder value
level: high

S3 Browser - IAM LoginProfile

title: AWS IAM S3Browser LoginProfile Creation id: db014773-b1d3-46bd-ba26-133337c0ffee status: experimental
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
 - <https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor> author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023/05/17 modified: 2023/05/17 tags:
    - attack.execution
 - attack.t1059.009     - attack.persistence
 - attack.t1078.004 logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: iam.amazonaws.com
        eventName:
            - GetLoginProfile
            - CreateLoginProfile
    filter_tooling:
        userAgent|contains: 'S3 Browser'
    condition: selection_source and filter_tooling
falsepositives:
    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high

S3 Browser - IAM User and AccessKey

title: AWS IAM S3Browser User or AccessKey Creation id: db014773-d9d9-4792-91e5-133337c0ffee status: experimental
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
 - <https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor> author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023/05/17 modified: 2023/05/17 tags:
    - attack.execution
 - attack.t1059.009     - attack.persistence
 - attack.t1078.004 logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: iam.amazonaws.com
        eventName:
            - CreateUser
            - CreateAccessKey
    filter_tooling:
        userAgent|contains: 'S3 Browser'
    condition: selection_source and filter_tooling
falsepositives:
    - Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high

Observed Events (write level):

ec2:AuthorizeSecurityGroupIngress
ec2:CreateKeyPair
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:RunInstances
ec2:TerminateInstances
iam:CreateAccessKey
iam:CreateLoginProfile
iam:CreateUser
iam:DeleteAccessKey
iam:DeleteLoginProfile
iam:DeleteUser
iam:DeleteUserPolicy
iam:PutUserPolicy
signin:ExitRole
signin:SwitchRole