Detection rules › Panther
AWS S3 Object Copied to External Account Bucket
Detects when an S3 object is copied from one bucket to another bucket in a different AWS account. This could indicate data exfiltration or a ransomware attack where data is copied to an attacker-controlled account.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Exfiltration | T1537 Transfer Data to Cloud Account |
| Impact | T1486 Data Encrypted for Impact |
Rule body yaml
AnalysisType: rule
Filename: aws_s3_copy_object_to_external_account_bucket.py
RuleID: "AWS.S3.CopyObjectToExternalAccountBucket"
DisplayName: "AWS S3 Object Copied to External Account Bucket"
Enabled: true
CreateAlert: false
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Exfiltration:Transfer Data to Cloud Account
- Impact:Data Encrypted for Impact
Reports:
MITRE ATT&CK:
- TA0010:T1537
- TA0040:T1486
Severity: Medium
DedupPeriodMinutes: 60
Description: >
Detects when an S3 object is copied from one bucket to another bucket in a different AWS account.
This could indicate data exfiltration or a ransomware attack where data is copied to an attacker-controlled account.
Runbook: |
1. Query CloudTrail for all S3 API calls by the userIdentity:arn in the 24 hours before and after the alert to establish normal data access patterns
2. Check if the destination account ID appears in any legitimate cross-account S3 operations in the past 90 days
3. Find all CopyObject events to the same destination bucket from any user in the past 7 days to identify if this is part of a broader exfiltration campaign
Reference: https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html
SummaryAttributes:
- eventName
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: S3 CopyObject to External Account Bucket
ExpectedResult: true
Log:
{
"userIdentity":
{
"type": "AssumedRole",
"principalId": "AIDAI1234567890EXAMPLE:user",
"arn": "arn:aws:sts::12948575929274:assumed-role/sample-role-keen-cohen/sample-role-hardcore-driscoll-role-brave-yalow-role-intelligent-brahmagupta-role-admiring-vaughan-role-sad-khayyam-role-eager-haslett",
"accountId": "12948575929274",
"accessKeyId": "AKIA-MOCKACCESSKEYID-1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "false",
"creationDate": "2024-01-15T10:30:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "AIDAI1234567890EXAMPLE",
"arn": "arn:aws:iam::12948575929274:role/sample-role-keen-cohen",
"accountId": "12948575929274",
"userName": "AdminRole",
},
},
},
"eventTime": "2024-01-15T12:00:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "CopyObject",
"awsRegion": "us-east-1",
"sourceIPAddress": "1.2.3.4",
"userAgent": "aws-cli/2.13.0",
"requestParameters":
{
"bucketName": "attacker-exfil-1764604156",
"key": "customer-database.csv",
"x-amz-copy-source": "ransomware-test-victim-1764604156/customer-database.csv",
},
"responseElements": null,
"requestID": "ABC123DEF456",
"eventID": "12345678-1234-1234-1234-222222222222",
"eventType": "AwsApiCall",
"recipientAccountId": "12948575929274",
"resources":
[
{
"accountId": "111111111111",
"arn": "arn:aws:s3:::sample-bucket-magical-ardinghelli",
"type": "AWS::S3::Bucket",
},
{
"arn": "arn:aws:s3:::sample-bucket-magical-ardinghelli/customer-database.csv",
"type": "AWS::S3::Object",
},
{
"accountId": "12948575929274",
"arn": "arn:aws:s3:::sample-bucket-busy-carver",
"type": "AWS::S3::Bucket",
},
{
"arn": "arn:aws:s3:::sample-bucket-busy-carver/customer-database.csv",
"type": "AWS::S3::Object",
},
],
}
- Name: S3 CopyObject Same Account
ExpectedResult: false
Log:
{
"eventVersion": "1.09",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "AIDAI1234567890EXAMPLE:user",
"arn": "arn:aws:sts::12948575929274:assumed-role/AdminRole/user",
"accountId": "12948575929274",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
},
"eventTime": "2024-01-15T12:00:00Z",
"eventSource": "s3.amazonaws.com",
"eventName": "CopyObject",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.42",
"userAgent": "aws-cli/2.13.0",
"requestParameters":
{
"bucketName": "my-source-bucket",
"key": "data.csv",
"x-amz-copy-source": "my-source-bucket/data.csv",
},
"responseElements": null,
"requestID": "ABC123DEF456",
"eventID": "12345678-1234-1234-1234-123456789012",
"eventType": "AwsApiCall",
"recipientAccountId": "12948575929274",
"resources":
[
{
"accountId": "12948575929274",
"arn": "arn:aws:s3:::my-source-bucket",
"type": "AWS::S3::Bucket",
},
{
"arn": "arn:aws:s3:::my-source-bucket/data.csv",
"type": "AWS::S3::Object",
},
{
"accountId": "12948575929274",
"arn": "arn:aws:s3:::my-dest-bucket",
"type": "AWS::S3::Bucket",
},
{
"arn": "arn:aws:s3:::my-dest-bucket/data.csv",
"type": "AWS::S3::Object",
},
],
}
Detection logic
Condition
not (eventName ne "CopyObject" or errorCode is_not_null or errorMessage is_not_null)
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null | |
eventName | ne | CopyObject |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
eventName | |
eventSource | |
awsRegion | |
recipientAccountId | |
sourceIPAddress | |
userAgent | |
userIdentity | |
actor_user | |
bucketName | requestParameters.bucketName |
x-amz-copy-source | requestParameters.x-amz-copy-source |