Suspicious use of AWS APIs indicating S3 write operations
Description
AlphaSOC has detected unexpected use of AWS APIs indicating S3 write operations. This detection is triggered by PutObject
, UploadPart
, UploadPartCopy
, and CreateBucket
actions. These actions may indicate unauthorized data manipulation within your AWS environment.
Impact
Threat actors may use these actions to overwrite valuable information, or to create new storage locations for malware or command and control (C2) infrastructure. This may be especially dangerous, if there is no backup or version control in place.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the detected S3 write operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore modified data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets and associated AWS accounts.
Known False Positives
- Authorized users uploading files