Skip to main content

Suspicious use of AWS APIs indicating S3 data staging and exfiltration

ID:aws_s3_exfiltration_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0009:T1530

Description

AlphaSOC detected AWS API use related to S3 data staging and exfiltration. Attackers leverage AWS APIs to collate and package sensitive data stored in S3 buckets (known as staging) that is subsequently exfiltrated.

Impact

Threat actors can use data staging and exfiltration to prepare and move stolen data from S3 buckets, exploiting permissions granted to AWS services to bypass security controls and evade detection. This can result in access to sensitive data stored in S3 buckets, intellectual property theft, and compliance violations. Stolen data can be used for secondary attacks to gain unauthorized access to more resources.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Investigate the detected operation by reviewing AWS CloudTrail logs to identify the user, client IP, and specific actions performed. Verify if the operations were authorized and part of normal business processes. If unauthorized activity is confirmed, revoke the relevant IAM credentials, restore modified data from backups if possible, and conduct a thorough security assessment of the affected S3 buckets, objects, and associated AWS accounts.

Known False Positives

  • Legitimate data migration or backup processes using S3 APIs
  • Large-scale data analysis operations using SelectObjectContent API

Further Reading