AWS Exfiltration via Anomalous GetObject API Activity
Description
This search uses built in Splunk command | anomalydetection
to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field probable_cause
is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by "count" "user_type" "user_arn" and detects anomaly based on the frequencies.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-04-10
- Author: Bhavin Patel, Splunk
- ID: e4384bbf-5835-4831-8d85-694de6ad2cc6
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`cloudtrail` eventName=GetObject
| bin _time span=10m
| stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId
| anomalydetection "count" "user_type" "user_arn" action=annotate
| search probable_cause=*
|`aws_exfiltration_via_anomalous_getobject_api_activity_filter`
Macros
The SPL above uses the following Macros:
aws_exfiltration_via_anomalous_getobject_api_activity_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- eventName
- user_arn
- src_ip
- aws_account_id
- userAgent
- userIdentity.principalId
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
It is possible that a user downloaded these files to use them locally and there are AWS services in configured that perform these activities for a legitimate reason. Filter is needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
64.0 | 80 | 80 | Anomalous S3 activities detected by user $user_arn$ from $src_ip$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
- https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection
- https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1