IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Microsoft Azure or Mail Sign-in from a Suspicious Source Microsoft Entra ID SharePoint Access for User Principal via Auth Broker »

› ›

AWS S3 Static Site JavaScript File Uploaded

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS S3 Static Site JavaScript File Uploaded

edit

This rule detects when a JavaScript file is uploaded or accessed in an S3 static site directory (static/js/) by an IAM user or assumed role. This can indicate suspicious modification of web content hosted on S3, such as injecting malicious scripts into a static website frontend.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS S3
Tactic: Impact
Use Case: Web Application Compromise
Use Case: Cloud Threat Detection
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and Analysis

Investigating AWS S3 Static Site JavaScript File Uploaded

An S3 PutObject action that targets a path like static/js/ and uploads a .js file is a potential signal for web content modification. If done by an unexpected IAM user or outside of CI/CD workflows, it may indicate a compromise.

Possible Investigation Steps

Identify the Source User: Check aws.cloudtrail.user_identity.arn, access key ID, and session type (IAMUser, AssumedRole, etc).
Review File Content: Use the S3 GetObject or CloudTrail requestParameters to inspect the uploaded file for signs of obfuscation or injection.
Correlate to Other Events: Review events from the same IAM user before and after the upload (e.g., ListBuckets, GetCallerIdentity, IAM activity).
Look for Multiple Uploads: Attackers may attempt to upload several files or modify multiple directories.

False Positive Analysis

This behavior may be expected during app deployments. Look at:
The user_agent.original to detect legitimate CI tools (like Terraform or GitHub Actions).
Timing patterns—does this match a regular release window?
The origin IP and device identity.

Response and Remediation

Revert Malicious Code: Replace the uploaded JS file with a clean version and invalidate CloudFront cache if applicable.
Revoke Access: If compromise is confirmed, revoke the IAM credentials and disable the user.
Audit IAM Policies: Ensure that only deployment users can modify static site buckets.
Enable Bucket Versioning: This can allow for quick rollback and historical review.

Rule query

edit

from logs-aws.cloudtrail* metadata _id, _version, _index
| where

    // filter on CloudTrail logs for S3 PutObject actions
    event.dataset == "aws.cloudtrail"
    and event.provider == "s3.amazonaws.com"
    and event.action in ("GetObject","PutObject")

    // filter for IAM users, not federated identities
    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")

    // filter for S3 static site bucket paths from webpack or similar
    and aws.cloudtrail.request_parameters LIKE "*static/js/*.js*"

    // exclude common IaC tools and automation scripts
    and not (
        user_agent.original LIKE "*Terraform*"
        or user_agent.original LIKE "*Ansible*"
        or user_agent.original LIKE "*Pulumni*"
    )

// extract bucket and object details from request parameters
| dissect aws.cloudtrail.request_parameters "%{{?bucket.name.key}=%{bucket.name}, %{?host.key}=%{bucket.host}, %{?bucket.object.location.key}=%{bucket.object.location}}"

// filter for specific bucket and object structure
| dissect bucket.object.location "%{}static/js/%{bucket.object}"

// filter for JavaScript files
| where ENDS_WITH(bucket.object, ".js")
| keep
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.access_key_id,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.request_parameters,
    bucket.name,
    bucket.object,
    user_agent.original,
    source.ip,
    event.action,
    @timestamp

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Data Manipulation
- ID: T1565
- Reference URL: https://attack.mitre.org/techniques/T1565/
Sub-technique:
- Name: Stored Data Manipulation
- ID: T1565.001
- Reference URL: https://attack.mitre.org/techniques/T1565/001/

« Microsoft Azure or Mail Sign-in from a Suspicious Source Microsoft Entra ID SharePoint Access for User Principal via Auth Broker »