| ID | Technique | Tactic |
|---|---|---|
| T1537 | Transfer Data to Cloud Account | Exfiltration |
Detection: AWS Exfiltration via Bucket Replication
Description
The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify PutBucketReplication events, focusing on fields like bucketName, ReplicationConfiguration.Rule.Destination.Bucket, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.
Search
1`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com
2
3| rename user_name as user, requestParameters.ReplicationConfiguration.Rule.Destination.Bucket as bucket_name
4
5| stats count min(_time) as firstTime max(_time) as lastTime
6 BY signature dest user
7 user_agent src vendor_account
8 vendor_region vendor_product bucket_name
9
10| `security_content_ctime(firstTime)`
11
12| `security_content_ctime(lastTime)`
13
14| `aws_exfiltration_via_bucket_replication_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail PutBucketReplication |  AWS |
'aws:cloudtrail' |
'aws_cloudtrail' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| aws_exfiltration_via_bucket_replication_filter | search * |
aws_exfiltration_via_bucket_replication_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| AWS Bucket Replication rule added to $bucket_name$ by user $user$ from IP Address - $src$ | user | user | 50 |
Threat Objects
| Field | Type |
|---|---|
| src | ip_address |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
| Integration | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 10