Techniques
Sample rules
AWS Exfiltration via Batch Service
- source: splunk
- technicques:
- T1119
Description
The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the JobCreated event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.
Detection logic
`cloudtrail` eventName = JobCreated
| fillnull
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_exfiltration_via_batch_service_filter`