/
aws_exfiltration_via_bucket_replication.yml
67 lines (66 loc) · 2.62 KB
/
aws_exfiltration_via_bucket_replication.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: AWS Exfiltration via Bucket Replication
id: eeb432d6-2212-43b6-9e89-fcd753f7da4c
version: 1
date: '2023-04-28'
author: Bhavin Patel, Splunk
status: production
type: TTP
data_source:
- AWS CloudTrail PutBucketReplication
description: The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.
S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.
search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com
| rename requestParameters.* as *
| stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`'
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
references:
- https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/
tags:
analytic_story:
- Suspicious AWS S3 Activities
- Data Exfiltration
asset_type: EC2 Snapshot
confidence: 80
impact: 80
message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$
mitre_attack_id:
- T1537
observable:
- name: user_arn
type: User
role:
- Victim
- name: src_ip
type: IP Address
role:
- Attacker
- name: aws_account_id
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- user_arn
- src_ip
- eventSource
- requestParameters.*
- aws_account_id
- vendor_region
- user_agent
- userIdentity.principalId
risk_score: 64
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1119/aws_exfil_datasync/cloudtrail.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true