it is possible that an aws administrator or a user has legitimately created this job for some tasks.

t1119
aws account
splunk

Techniques

T1119

Sample rules

AWS Exfiltration via Batch Service

source: splunk
technicques:
- T1119

Description

This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.

Detection logic

`cloudtrail` eventName = JobCreated 
|  stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip  aws_account_id eventName errorCode userAgent
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_exfiltration_via_datasync_task_filter`