LoFP / it is possible that an aws admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.

Techniques

• T1537

Sample rules

AWS Exfiltration via Bucket Replication

• source: splunk
• technicques:
  • T1537

Description

The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify PutBucketReplication events, focusing on fields like bucketName, ReplicationConfiguration.Rule.Destination.Bucket, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.

Detection logic

`cloudtrail`  eventName = PutBucketReplication eventSource = s3.amazonaws.com 
| rename requestParameters.* as * 
| stats count values(bucketName) as source_bucket values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) as destination_bucket by _time user_arn userName user_type src_ip aws_account_id userIdentity.principalId user_agent 
| `aws_exfiltration_via_bucket_replication_filter`