Skip to main content

Use of AWS APIs indicating data staging and exfiltration

ID:aws_data_exfiltration
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0010:T1537

Description

AlphaSOC detected AWS API use related to data staging and exfiltration. Attackers use AWS APIs to collate and package sensitive data within the AWS environment (known as staging) that is subsequently exfiltrated.

Impact

Threat actors can use data staging and exfiltration to prepare and move stolen data, exploiting permissions granted to AWS services to bypass security controls and evade detection. This can result in access to sensitive data, intellectual property theft, and compliance violations. Stolen data can be used for secondary attacks to gain unauthorized access to more resources.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Examine the specific AWS API calls, focusing on the resources accessed, the amount of data transferred, and the identity of the caller. Review CloudTrail logs for unusual patterns or unauthorized access. Identify and revoke any compromised credentials. Isolate affected resources and rotate all access keys. Using legitimate AWS services for exfiltration makes it difficult to distinguish malicious activity from normal operations, potentially allowing data breaches to go unnoticed for extended periods of time.

Known False Positives

  • Establishment of a new, legitimate connection between a user and a network with a given ASN
  • Large-scale data migrations or backups to external storage services
  • Automated scripts or applications that legitimately transfer data between AWS services
  • Development and testing activities involving data replication or movement