LoFP / it is possible that an aws admin has legitimately implemented data replication to ensure data availability and improve data protection/backup strategies.

Techniques

• T1537

Sample rules

AWS Exfiltration via Bucket Replication

• source: splunk
• technicques:
  • T1537

Description

The following analytic detects API calls to enable S3 bucket replication services. It leverages AWS CloudTrail logs to identify PutBucketReplication events, focusing on fields like bucketName, ReplicationConfiguration.Rule.Destination.Bucket, and user details. This activity is significant as it can indicate unauthorized data replication, potentially leading to data exfiltration. If confirmed malicious, attackers could replicate sensitive data to external accounts, leading to data breaches and compliance violations.

Detection logic

`cloudtrail`  eventName = PutBucketReplication eventSource = s3.amazonaws.com 
| rename user_name as user, requestParameters.ReplicationConfiguration.Rule.Destination.Bucket as bucket_name 
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product bucket_name 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_exfiltration_via_bucket_replication_filter`