| ID | Technique | Tactic |
|---|---|---|
| T1055 | Process Injection | Privilege Escalation |
Detection: AWS Bedrock Claude Possible Prompt Injection
Description
This search surfaces AWS Bedrock Claude prompts containing phrases commonly associated with prompt injection or jailbreak attempts, such as instruction overrides, persona switching, or requests to ignore prior guidance. These strings are not inherently malicious on their own - many of them (for example "act as", "you must", or "new persona") appear routinely in legitimate system prompts, few-shot examples, and role-play or creative-writing use cases. This is a hunting search rather than an anomaly detection because the base rate of benign matches is high; use it to pivot into the surrounding conversation and look for corroborating signals such as the phrase appearing mid-conversation rather than in an expected system/few-shot prompt, the user attempting to override guardrails or safety instructions rather than set a benign persona, instructions that follow the injected phrase requesting privilege escalation, data exfiltration, or access to restricted tools/resources, repeated or iterative attempts from the same user/role after being refused, and injected phrases originating from untrusted input (e.g., retrieved documents or tool output) rather than the human user turn.
Search
1`aws_bedrock_claude`
2
3| rename "identity.arn" AS user_arn, "input.inputBodyJson.messages{}.content{}.text" AS prompt_mv
4
5| eval prompt_text = mvjoin(prompt_mv, "
6|
7| ")
8
9| where isnotnull(prompt_text) AND isnotnull(user_arn)
10
11| rex field=user_arn "(?:assumed-role/[^/]+
12|user)/(?<user>[^\"/]+)$"
13
14| eval s_override = if(match(prompt_text,"(?i)\b(ignore
15|disregard
16|forget)\b.{0,30}\b(previous
17|above
18|prior
19|all
20|your
21|the)\s*(instructions?
22|prompts?
23|rules?
24|context)"),1,0)
25
26| eval s_jailbreak = if(match(prompt_text,"(?i)\b(jailbreak
27|jailbroken
28|\bDAN\b mode
29|do anything now
30|developer mode
31|unrestricted mode
32|no (filters
33|restrictions
34|guardrails))\b"),1,0)
35
36| eval s_probe = if(match(prompt_text,"(?i)(reveal
37|repeat
38|print
39|show
40|output).{0,20}(system prompt
41|your instructions
42|initial (prompt
43|instructions)
44|the (text
45|words) above)"),1,0)
46
47| eval s_persona = if(match(prompt_text,"(?i)\b(you are now
48|new persona
49|pretend (to be
50|you are)
51|roleplay as
52|act as (if you
53|an unrestricted))\b"),1,0)
54
55| eval s_weak = if(match(prompt_text,"(?i)\b(you must
56|from now on
57|act as
58|override
59|new rules
60|hypothetically)\b"),1,0)
61
62| eval signal_count = s_override+s_jailbreak+s_probe+s_persona+s_weak
63
64| where s_override=1 OR s_jailbreak=1 OR s_probe=1 OR signal_count >= 2
65
66| table _time, user, user_arn, modelId, prompt_text, host
67
68| sort - _time
69
70| `aws_bedrock_claude_possible_prompt_injection_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_possible_prompt_injection_filter | search * |
aws_bedrock_claude_possible_prompt_injection_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | No |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
These phrases have a high benign base rate. Terms like "act as", "you must", "from now on", and "new persona" are commonly found in legitimate system prompts and few-shot examples used to steer model behavior, as well as in role-play or creative writing requests from users. A match on its own is not evidence of an attack; review the surrounding conversation, the message role (system vs. user vs. tool output), and whether the phrase is followed by a request to bypass safety controls or access sensitive data/tools before treating a hit as suspicious.
Associated Analytic Story
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1