Techniques
Sample rules
AWS Exfiltration via Batch Service
- source: splunk
- technicques:
- T1119
Description
The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the JobCreated event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.
Detection logic
`cloudtrail` eventName = JobCreated
| stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_exfiltration_via_batch_service_filter`