Skip to main content

Anomalous use of AWS APIs indicating S3 write operations

ID:aws_s3_write_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0040:T1565.001

Description

AlphaSOC has detected unexpected use of AWS APIs indicating S3 write operations. This detection is triggered by PutObject, UploadPart, UploadPartCopy, and CreateBucket actions. These actions may indicate unauthorized data manipulation within your AWS environment.

Impact

Threat actors may use these actions to overwrite valuable information, or to create new storage locations for malware or command and control (C2) infrastructure. This may be especially dangerous, if there is no backup or version control in place.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the detected S3 write operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore modified data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets and associated AWS accounts.

Known False Positives

  • Authorized users uploading files

Further Reading