AWS Exfiltration via Bucket Replication
The following analytic detects API calls made to an S3 bucket when bucket replication services are enabled. S3 bucket replication is a feature offered by Amazon Web Services (AWS) that allows you to automatically and asynchronously copy data from one S3 bucket to another in the same or different region.
S3 bucket replication can also be used for cross-account replication, where data is replicated from a source bucket owned by one AWS account to a destination bucket owned by a different AWS account.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-04-28
- Author: Bhavin Patel, Splunk
- ID: eeb432d6-2212-43b6-9e89-fcd753f7da4c
Kill Chain Phase
- Actions On Objectives
- CIS 10
1 2 3 4 `cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com | rename requestParameters.* as * | stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent | `aws_exfiltration_via_ec2_snapshot_filter`
The SPL above uses the following Macros:
aws_exfiltration_via_bucket_replication_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
It is possible that an AWS admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.
Associated Analytic Story
|64.0||80||80||AWS Bucket Replication rule $rule$ added on $source_bucket$ to $destination_bucket$ by user $user_arn$ from IP Address - $src_ip$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Replay any dataset to Splunk Enterprise by using our
replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1