Elastic Security Detection Rules

AWS API Activity from Uncommon S3 Client by Rare User

Last updated a month ago on 2026-02-09
Created a month ago on 2026-02-09

About

Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS S3Tactic: ExfiltrationUse Case: Threat DetectionLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Exfiltration (TA0010)(external, opens in a new tab or window)

Exfiltration Over Web Service (T1567)(external, opens in a new tab or window)

False Positive Examples
Some organizations may have legitimate use cases for S3 Browser or Cyberduck, particularly in development, data migration, or backup scenarios. Verify whether the IAM principal, source network, and accessed buckets align with approved workflows. Unexpected activity from these clients, especially accessing sensitive buckets, should be investigated.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and user_agent.original: (*S3 Browser* or *Cyberduck*)
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS API Activity from Uncommon S3 Client by Rare User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).