AWS S3 Exfiltration Behavior Identified

name: AWS S3 Exfiltration Behavior Identified
id: 85096389-a443-42df-b89d-200efbb1b560
version: 8
date: '2026-02-25'
author: Bhavin Patel, Splunk
status: production
type: Correlation
data_source: []
description: The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.
search: |-
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message FROM datamodel=Risk.All_Risk
      WHERE All_Risk.annotations.mitre_attack.mitre_tactic = "collection"
        OR
        All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS*
      BY All_Risk.risk_object
    | `drop_dm_object_name(All_Risk)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where source_count >= 2 and mitre_tactic_id_count>=2
    | `aws_s3_exfiltration_behavior_identified_filter`
how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.
known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed.
references:
    - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
    - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/
    - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/
drilldown_searches:
    - name: View the detection results for - "$risk_object$"
      search: '%original_detection_search% | search  risk_object = "$risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
tags:
    analytic_story:
        - Suspicious Cloud Instance Activities
        - Data Exfiltration
    asset_type: AWS Account
    mitre_attack_id:
        - T1537
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log
          sourcetype: stash
          source: aws_exfil