| ID | Technique | Tactic |
|---|---|---|
| T1055 | Process Injection | Privilege Escalation |
Detection: AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation
Description
Detects identities invoking high-risk filesystem and execution tools via AWS Bedrock Claude. For each identity, monitors the usage of potentially dangerous commands and flags any anomalous activity that deviates from their historical baseline. This may indicate attempts to escalate privileges, exfiltrate data, or execute unauthorized commands.
Search
1`aws_bedrock_claude`
2
3| spath output="tool_called" path="output.outputBodyJson{}.content_block.toolUse.name"
4
5| spath output="out_tokens_stream" path="output.outputBodyJson{}.usage.output_tokens"
6
7| where tool_called IN ("bash","curl","edit","write","webfetch","grep","read","read_file")
8
9| eval out_tokens = coalesce(mvindex('out_tokens_stream', -1), 'output.outputTokenCount', 0)
10
11| eval in_tokens = coalesce('input.inputTokenCount', 0)
12
13| eval user_session = replace('identity.arn', ".*/", "")
14
15| eval identity_type = case(
16 'identity.arn' LIKE "%botocore-session%", "automated",
17 'identity.arn' LIKE "%assumed-role%", "assumed_role",
18 'identity.arn' LIKE "%user%", "iam_user",
19 true(), "other")
20
21| stats
22 count AS invocations,
23 dc(tool_called) AS unique_tools_used,
24 sum(in_tokens) AS total_input_tokens,
25 sum(out_tokens) AS total_output_tokens,
26 values(tool_called) AS tools_invoked,
27 values('identity.arn') AS caller_list,
28 values(identity_type) AS identity_types,
29 dc('identity.arn') AS unique_callers,
30 min(_time) AS first_seen,
31 max(_time) AS last_seen
32 BY modelId, region, user_session
33
34| eval tokens_per_call = round(total_output_tokens / invocations, 0)
35
36| eval first_seen = strftime(first_seen - 28800, "%Y-%m-%d %H:%M:%S")
37
38| eval last_seen = strftime(last_seen - 28800, "%Y-%m-%d %H:%M:%S")
39
40| eval user = user_session
41
42| eval severity = case(
43 mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "critical",
44 mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "critical",
45 mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "critical",
46 mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "critical",
47 mvfind(tools_invoked, "bash") >= 0, "high",
48 mvfind(tools_invoked, "curl") >= 0, "high",
49 mvfind(tools_invoked, "edit") >= 0, "high",
50 mvfind(tools_invoked, "write") >= 0, "high",
51 mvfind(tools_invoked, "webfetch") >= 0, "high",
52 unique_tools_used >= 3, "high",
53 true(), "medium")
54
55| eval risk_reason = case(
56 mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "bash and curl invoked together - possible download and execute chain",
57 mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "bash and write invoked together - possible execution and persistence chain",
58 mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "curl and edit invoked together - possible remote content retrieval and file modification",
59 mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "Human identity invoking bash via AI model - direct shell execution risk",
60 mvfind(tools_invoked, "bash") >= 0, "bash invoked via Bedrock Claude - shell execution through AI model",
61 mvfind(tools_invoked, "curl") >= 0, "curl invoked via Bedrock Claude - network call through AI model",
62 mvfind(tools_invoked, "edit") >= 0, "edit invoked via Bedrock Claude - file modification through AI model",
63 mvfind(tools_invoked, "write") >= 0, "write invoked via Bedrock Claude - file write through AI model",
64 mvfind(tools_invoked, "webfetch") >= 0, "webfetch invoked via Bedrock Claude - remote content retrieval through AI model",
65 unique_tools_used >= 3, "Broad filesystem and execution tool set invoked via AI model - reconnaissance pattern",
66 true(), "Filesystem tool invoked via Bedrock Claude")
67
68| where severity IN ("critical","high")
69
70| table severity, risk_reason, modelId, region, user,unique_tools_used, caller_list, identity_types, invocations, tools_invoked, total_input_tokens, total_output_tokens, tokens_per_call, first_seen, last_seen
71
72| sort -unique_tools_used, -invocations
73
74| `aws_bedrock_claude_high_risk_filesystem_and_exec_tool_invocation_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_high_risk_filesystem_and_exec_tool_invocation_filter | search * |
aws_bedrock_claude_high_risk_filesystem_and_exec_tool_invocation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
This detection may produce false positives for legitimate developer activity where authorized users invoke shell execution, file write, or network tools through Claude Code as part of normal software development, deployment automation, or infrastructure management workflows.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Identity $user$ invoked high-risk filesystem and execution tools $tools_invoked$ via AWS Bedrock Claude with severity $severity$ and reason $risk_reason$. | user | user | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
| Integration | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1