Use of AWS APIs indicating S3 data staging and exfiltration
Description
AlphaSOC detected AWS API use related to S3 data staging and exfiltration. Attackers leverage AWS APIs to collate and package sensitive data stored in S3 buckets (known as staging) that is subsequently exfiltrated.
Impact
Threat actors can use data staging and exfiltration to prepare and move stolen data from S3 buckets, exploiting permissions granted to AWS services to bypass security controls and evade detection. This can result in access to sensitive data stored in S3 buckets, intellectual property theft, and compliance violations. Stolen data can be used for secondary attacks to gain unauthorized access to more resources.
Severity
Severity | Condition |
---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the detected operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore modified data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets, objects, and associated AWS accounts.
Known False Positives
- Legitimate data migration or backup processes using S3 APIs
- Large-scale data analysis operations using SelectObjectContent API