Techniques
Sample rules
AWS Detect Users with KMS keys performing encryption S3
- source: splunk
- technicques:
- T1486
Description
The following analytic identifies users with KMS keys performing encryption operations on S3 buckets. It leverages AWS CloudTrail logs to detect the CopyObject event where server-side encryption with AWS KMS is specified. This activity is significant as it may indicate unauthorized or suspicious encryption of data, potentially masking exfiltration or tampering efforts. If confirmed malicious, an attacker could be encrypting sensitive data to evade detection or preparing it for exfiltration, posing a significant risk to data integrity and confidentiality.
Detection logic
`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms"
| rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product bucketName src_file dest_file
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_detect_users_with_kms_keys_performing_encryption_s3_filter`