EXPLORE
Sign In
← Back to Explore
splunk_escuCorrelation

AWS S3 Exfiltration Behavior Identified

The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.

Detection Query

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message FROM datamodel=Risk.All_Risk
  WHERE All_Risk.annotations.mitre_attack.mitre_tactic = "collection"
    OR
    All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS*
  BY All_Risk.risk_object
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2 and mitre_tactic_id_count>=2
| `aws_s3_exfiltration_behavior_identified_filter`

Author

Bhavin Patel, Splunk

References

Raw Content
name: AWS S3 Exfiltration Behavior Identified
id: 85096389-a443-42df-b89d-200efbb1b560
version: 10
creation_date: '2023-05-04'
modification_date: '2026-05-13'
author: Bhavin Patel, Splunk
status: production
type: Correlation
description: The following analytic identifies potential AWS S3 exfiltration behavior by correlating multiple risk events related to Collection and Exfiltration techniques. It leverages risk events from AWS sources, focusing on instances where two or more unique analytics and distinct MITRE ATT&CK IDs are triggered for a specific risk object. This activity is significant as it may indicate an ongoing data exfiltration attempt, which is critical for security teams to monitor. If confirmed malicious, this could lead to unauthorized access and theft of sensitive information, compromising the organization's data integrity and confidentiality.
data_source: []
search: |-
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count values(All_Risk.risk_message) as risk_message FROM datamodel=Risk.All_Risk
      WHERE All_Risk.annotations.mitre_attack.mitre_tactic = "collection"
        OR
        All_Risk.annotations.mitre_attack.mitre_tactic = "exfiltration" source = *AWS*
      BY All_Risk.risk_object
    | `drop_dm_object_name(All_Risk)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where source_count >= 2 and mitre_tactic_id_count>=2
    | `aws_s3_exfiltration_behavior_identified_filter`
how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.
known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed.
references:
    - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
    - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/
    - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/
drilldown_searches:
    - name: View the detection results for - "$risk_object$"
      search: '%original_detection_search% | search  risk_object = "$risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$
    entity:
        field: risk_object
        type: other
        score: 0
analytic_story:
    - Suspicious Cloud Instance Activities
    - Data Exfiltration
asset_type: AWS Account
mitre_attack_id:
    - T1537
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log
          sourcetype: stash
          source: aws_exfil
      test_type: unit