AWS Exfiltration via Anomalous GetObject API Activity

Try in Splunk Security Cloud

Description

This search uses built in Splunk command | anomalydetection to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field probable_cause is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2023-04-10
• Author: Bhavin Patel, Splunk
• ID: e4384bbf-5835-4831-8d85-694de6ad2cc6

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1119	Automated Collection	Collection

Kill Chain Phase

• Exploitation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`cloudtrail` eventName=GetObject 
| bin _time span=10m 
|  stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId 
| anomalydetection "count" "user_type" "user_arn" action=annotate 
| search probable_cause=* 
|`aws_exfiltration_via_anomalous_getobject_api_activity_filter`

Macros

The SPL above uses the following Macros:

• cloudtrail

aws_exfiltration_via_anomalous_getobject_api_activity_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• eventName
• user_arn
• src_ip
• aws_account_id
• userAgent
• userIdentity.principalId

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Known False Positives

It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.

Associated Analytic Story

• Data Exfiltration

RBA

Risk Score	Impact	Confidence	Message
64.0	80	80	Anomalous S3 activities detected by user $user_arn$ from $src_ip$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
• https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection
• https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1