Step 2: Detection, Query AWS CloudTrail for large-volume GetObject, CopyObject, or ListBucket events, particularly those accessing S3 buckets containing email or HR data. Look for API calls from unfamiliar IP ranges, unusual geographic locations, or service accounts not associated with known automation. Review IAM authentication logs for failed MFA challenges, token reuse anomalies, or successful logins following credential stuffing patterns. If Ivanti EPMM is deployed, check application logs for exploitation indicators. Note: prior Ivanti EPMM authentication bypass vulnerabilities (CVE-2023-35078, CVE-2023-35082) are referenced here as analogous attack patterns; current incident link to these CVEs is not confirmed.
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across log sources to establish scope, timeline, and data accessed; the 350 GB exfiltration claim requires quantifying actual S3 data egress before scope can be defined
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — structured review of CloudTrail logs for data-plane exfiltration indicators
NIST AU-12 (Audit Record Generation) — verify CloudTrail was enabled and logging data-plane S3 events (not just management events) during the incident window
NIST SI-4 (System Monitoring) — analyze network and API-level indicators of large-volume object retrieval consistent with 350 GB exfiltration
NIST IR-5 (Incident Monitoring) — track and document all detected CloudTrail anomalies as incident artifacts
CIS 8.2 (Collect Audit Logs) — confirm audit logging was active and intact for CloudTrail, IAM, and S3 data-plane events before relying on absence of logs as evidence
Compensating Control
Without a SIEM: use AWS CloudTrail Lake or Athena (both have free tiers) to run SQL queries directly against CloudTrail logs. Query: `SELECT userIdentity.arn, sourceIPAddress, eventName, requestParameters, responseElements, eventTime FROM cloudtrail_logs WHERE eventName IN ('GetObject','CopyObject','ListBucket','GetBucketAcl') AND eventTime BETWEEN '2025-01-01' AND '2026-03-04' ORDER BY eventTime DESC`. For Ivanti EPMM, grep EPMM application logs at `/opt/MobileIron/Tomcat/logs/` for HTTP 200 responses to `/mifs/aad/api/v2/` endpoints (the unauthenticated API path exploited in CVE-2023-35078) from external IPs: `grep -E 'POST /mifs/aad/api/v2/|GET /mifs/aad/api/v2/' access_log* | grep -v '192.168\|10\.'`. For credential stuffing detection, download IAM authentication events from CloudTrail and filter for `ConsoleLogin` events with `additionalEventData.MFAUsed = No` or `errorCode = Failed authentication`.
Preserve Evidence
Capture S3 server access logs (separate from CloudTrail — must be enabled per bucket; located at the configured S3 logging target bucket) for the buckets identified as containing email or HR data, as these logs record individual object-level GET/LIST requests with byte counts that can validate or refute the 350 GB exfiltration claim. Pull CloudTrail `CreateNetworkAclEntry`, `AuthorizeSecurityGroupIngress`, and `ModifyInstanceAttribute` events to detect attacker-created network paths for exfiltration channels. For Ivanti EPMM exploitation indicators, collect the Tomcat access log (`/opt/MobileIron/Tomcat/logs/access_log.YYYY-MM-DD.txt`) and search for anomalous POST requests to `/mifs/aad/api/v2/admins/users` or `/api/v2/` paths with non-internal source IPs, which are the specific API endpoints abused in CVE-2023-35078 unauthenticated access.
