/
aws_exfiltration_via_batch_service.yml
55 lines (55 loc) · 2.16 KB
/
aws_exfiltration_via_batch_service.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: AWS Exfiltration via Batch Service
id: 04455dd3-ced7-480f-b8e6-5469b99e98e2
version: 1
date: '2023-04-24'
author: Bhavin Patel, Splunk
status: production
type: TTP
data_source:
- AWS CloudTrail JobCreated
description: This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.
search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: It is possible that an AWS Administrator or a user has legitimately created this job for some tasks.
references:
- https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/
- https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436
tags:
analytic_story:
- Data Exfiltration
asset_type: AWS Account
confidence: 80
impact: 80
message: AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$
mitre_attack_id:
- T1119
observable:
- name: src_ip
type: IP Address
role:
- Attacker
- name: aws_account_id
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- user_arn
- src_ip
- aws_account_id
- userAgent
risk_score: 64
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true